Hades Malware Campaign Exploits AI Security Tools with Prompt Injection Attacks
Key Takeaways
- ▸Hades Campaign merges advanced malware techniques (memory scraping, lateral movement, wiping capabilities) with self-replicating worm logic and AI system manipulation, creating what security experts describe as a 'nightmare' attack pattern
- ▸Attackers use prompt injection blocks at the beginning of Python files to instruct LLM-based scanners to ignore malicious code below and misclassify packages as verified and safe—exposing a fundamental vulnerability in AI analyzers lacking strict boundary isolation
- ▸Attack targets dozens of packages across the Python ecosystem (ensmallen, mflux-streamlit, nhmpy, ppkt2synergy, embiggen, gpsea, pyphetools), with potential for widespread supply chain compromise in data science and bioinformatics communities
Summary
Researchers at StepSecurity have uncovered the Hades Campaign, a sophisticated supply chain attack that combines traditional malware tactics with a novel exploitation of AI-based security systems. The attack infects Python packages with obfuscated code that executes multi-layered payloads via the Bun runtime, enabling credential theft, lateral movement, and memory scraping. The campaign's most innovative element is its use of adversarial prompt injection—embedding instructional text that manipulates LLM-based code analyzers into incorrectly classifying malicious packages as safe.
The malware has compromised multiple critical packages across the Python ecosystem, including the widely-used C++ library ensmallen and specialized tools in computational biology, bioinformatics, and genotype-phenotype analysis. Security researchers characterize the campaign as an evolution of the previous Miasma threat actor group, maintaining familiar tactics like credential harvesting, self-replicating worm logic, and GitHub-based data exfiltration, but adding AI-specific attack vectors that target the cognitive logic of machine learning systems.
The discovery represents a watershed moment for AI security: as organizations deploy more LLM-powered code analysis and threat detection tools, attackers have identified and weaponized these systems' susceptibility to social engineering. Experts warn that the combination of fast-moving worm propagation, multi-layered payloads, and AI system manipulation may become a template for future supply chain attacks, exposing a critical blind spot in our emerging reliance on AI-assisted security infrastructure.
- Security experts warn that LLM-powered security tools have 'no reliable defense' against prompt injection because large language models are 'incredibly susceptible to social engineering'
Editorial Opinion
The Hades Campaign represents a critical turning point for how we think about AI security. We are deploying large language models as gatekeepers in our software supply chains without fully understanding that they can be manipulated through prompt injection—essentially phishing attacks against bots. This research should prompt an urgent rethinking of how we architect AI-powered security tools, ensuring strict input/output boundary isolation and skepticism about LLM-based verdicts in high-stakes security decisions.
