← Back to Daily Briefing

The Hades campaign is a cross-registry supply chain attack targeting PyPI, npm, and RubyGems via the leaked Miasma toolkit. Attackers deploy malicious wheel artifacts and setup.pth files to exfiltrate CI/CD credentials and environment variables. The campaign utilizes an "AI Safety-Evasion Paradox," injecting terminology related to biological and nuclear weaponry into the codebase. This triggers safety guardrails in AI-based security scanners, forcing the models to terminate analysis to avoid policy violations, thereby creating a blind spot that allows the malicious payload to bypass detection. Impact includes 19 poisoned PyPI packages and approximately 304 affected software components across 73 GitHub repositories.

  • Campaign Overview & Scope

    • Cross-ecosystem targeting: Simultaneous attacks across PyPI, npm, and RubyGems registries.
    • Distribution scale: 19 PyPI packages were poisoned using 37 malicious wheel artifacts.
    • Infrastructure impact: Medium-confidence data indicates 304 affected software components and 73 Microsoft GitHub repositories.
  • Technical Execution & Deployment

    • Framework utilization: Weaponization of the leaked Miasma toolkit for payload orchestration.
    • Execution vectors: Use of *-setup.pth files to trigger automatic execution during package installation.
    • Delivery method: Deployment of malicious .whl (wheel) artifacts to bypass standard source-code reviews.
  • The AI Safety-Evasion Paradox

    • Adversarial injection: Intentional insertion of "forbidden" content regarding nuclear and biological weapons.
    • Guardrail triggering: AI scanners identify the forbidden text and trigger safety failsafes.
    • Evasion result: The AI ceases analysis to comply with safety policies, leaving the actual malicious payload undetected.
  • Objectives & Exfiltration Targets

    • Credential theft: Primary focus on exfiltrating secrets stored in environment variables.
    • Pipeline compromise: Targeting GitHub Actions workflows and CI/CD configuration files.
    • Asset acquisition: Theft of deployment tokens and sensitive infrastructure credentials.
  • Defensive Actions & Mitigation

    • Dependency management: Implementation of strict version pinning and checksum verification for all registry artifacts.
    • Secret hygiene: Restricting environment variable access within CI/CD pipelines to the minimum necessary scope.
    • AI Tooling updates: Transitioning to security scanners that can isolate adversarial "safety prompts" without aborting full payload analysis.

Related posts

  1. Unit 42 Threat Intelligence — The npm Threat Landscape: Attack Surface and Mitigations (Updated May 1)
  2. Threatlocker
  3. Panther
  4. Brside
  5. Strongestlayer
  6. Cofense
  7. Stepsecurity
  8. feeds.feedburner.com — Hades PyPI Attack: 19 Packages Poisoned to Auto-Run Bun Credential Stealer
  9. Thehackernews
  10. techjacksolutions.com — Open Source Package Registries / GitHub / CI/CD — Vulnerability Rollup (2026-06-11)
  11. tomshardware.com — New malware campaign tricks AI scanners with fake nuclear weapon prompts — malicious code triggers safety failsafes so scanners skip the payload
  12. Fugumt
  13. Getaibook
  14. Infoworld
  15. Cybersecuritydive
  16. Cltc
  17. Reuters
  18. Iafrica
  19. Trmlabs
  20. Fortinet
  21. Boozallen
  22. Techradar
  23. techjacksolutions.com — Mistral AI / AI Supply Chain (Shai-Hulud Campaign) — Vulnerability Rollup (2026-05-15)
  24. arXiv (Computer Science - Cryptography and Security) — Scalable Malware Family Classification Using Quantum Kernel Based Machine Learning
  25. Fidelity
  26. Markets
  27. Darktrace
  28. Infosecurity-magazine
  29. Briefglance
  30. arXiv (Computer Science - Cryptography and Security) — PYPILINE: Malicious PyPI Package Detection via Suspicious API Knowledge and Agent Workflow
  31. Papers
  32. feeds.feedburner.com — Microsoft Details Windows Clipper Malware Campaign Using USB LNK Worm and Tor-Based C2
  33. bleepingcomputer.com — USB worm spreads crypto-stealing malware via Windows shortcut files
  34. Cybersecurityintelligence
  35. Pwc
  36. Uscsinstitute
  37. Jdsupra
  38. Pymnts
  39. Cybelangel
  40. Blog
  41. Security Affairs — Tor-Based Clipper Malware Targets Wallet Seed Phrases
  42. techjacksolutions.com — Shai-Hulud Wave 3: Forged Provenance, P2P Exfiltration, and IDE Backdoors Mark a New Threshold in npm Supply Chain Attacks
  43. Stepsecurity
  44. Flare
  45. Fortiguard
  46. techjacksolutions.com — Shai-Hulud Worm Chains GitHub Actions Weaknesses to Compromise 520M npm/PyPI Downloads with Valid SLSA Provenance
  47. Centripetal

LINK COPIED TO CLIPBOARD