Hades Malware

Cybercriminals continue to intensify attacks against software supply chains, with a newly discovered malware operation known as Hades emerging as one of the most sophisticated threats observed to date.

Researchers uncovered the Hades Campaign, a highly advanced supply-chain compromise targeting Python development environments. The malware activates immediately when a compromised package is imported, leveraging the popular Bun toolkit to silently execute multi-stage payloads. These payloads are capable of stealing sensitive information, moving laterally across systems, exploiting trusted security frameworks, and manipulating AI-powered code analysis tools through adversarial prompt injection techniques.

Among the affected projects are the widely used C++ library ensmallen and several packages within computational biology, bioinformatics, and genotype-phenotype analysis ecosystems.

Why Hades Stands Apart

The campaign's most alarming characteristic is the combination of multiple advanced attack techniques within a rapidly propagating worm. Security researchers have previously encountered malware focused on memory scraping, attacks designed to mislead large language model (LLM) security analysis, and destructive wiper malware. However, integrating all three capabilities into a self-spreading supply-chain threat represents a significant escalation in sophistication.

Researchers attribute the campaign to what appears to be the latest evolution of the Miasma threat actor. Earlier Miasma operations deployed self-replicating worms that conducted multi-cloud credential harvesting, triggered malicious code execution when repositories were accessed through integrated development environments (IDEs) or AI agents, and scanned Linux process memory for valuable data.

The Hades operation retains many of these core characteristics, including credential theft, worm-like propagation, and GitHub-based data exfiltration. Additional compromised packages identified during the investigation include mflux-streamlit, nhmpy, ppkt2synergy, embiggen, gpsea, and pyphetools.

From Package Import to Full System Compromise

The attack begins with an obfuscated script embedded within a package's init.py file, a critical component that enables Python package imports. Once executed, the malware deploys a precompiled Bun runtime and launches a malicious JavaScript payload.

By relying on Bun, attackers can execute complex JavaScript operations even on systems without Node.js installed. This approach helps bypass traditional package management controls and reduces visibility in proxy logs.

The malware is equipped with memory-scraping capabilities for Linux systems and includes specialized memory extraction modules for macOS and Windows. These components allow attackers to recover highly sensitive information, including encrypted data residing in memory.

Outsmarting AI Security Tools

One of the campaign's most innovative features is its ability to manipulate automated LLM-based security scanners. Attackers place a carefully crafted block of text at the beginning of malicious files that instructs AI analysis systems to ignore hidden code, classify the package as trustworthy, and generate reports declaring it safe.

Researchers describe this as a major conceptual shift in cyber threats. Rather than targeting software vulnerabilities alone, the attackers directly target the reasoning processes of AI systems. Security scanners that submit raw code and text to LLMs without strict separation mechanisms can be influenced into producing false-negative assessments, allowing malicious packages to evade detection.

This technique highlights a growing risk facing organizations that increasingly depend on AI-powered security tools. As LLMs remain highly susceptible to social-engineering-style manipulation, attackers are expected to continue targeting both AI-driven security agents and human users through increasingly sophisticated prompt-based deception.

GitHub Infrastructure Turned Into a Stealthy Command Center

The Hades command-and-control architecture relies on three separate communication channels hosted on public GitHub infrastructure, enabling malicious traffic to blend seamlessly with legitimate developer activity.

Stolen credentials are encrypted locally through a multi-stage process involving serialization and compression before being uploaded to attacker-controlled public GitHub repositories. These repositories are commonly labeled with the description: 'Hades — The End for the Damned.'

The malware's exfiltration strategy mirrors techniques previously associated with Miasma, making GitHub appear as a normal destination while concealing malicious activity.

Exploiting Trust to Spread Across Networks

A defining feature of the campaign is its ability to propagate through environments by abusing technologies typically used to enhance security and software integrity, including:

• Secure Shell (SSH) and Secure Copy Protocol (SCP)
• OpenID Connect (OIDC)
• Supply-chain Levels for Software Artifacts (SLSA)

When executed inside a GitHub Actions runner, the malware searches for available OIDC variables, bypasses registry-signature enforcement mechanisms, and generates cryptographically signed SLSA provenance records using Sigstore. It then downloads target libraries, injects malicious payloads, and republishes compromised versions to both the Python Package Index (PyPI) and npm using stolen credentials and forged provenance data.

As a result, malicious packages appear to originate from legitimate organizational build environments and possess seemingly valid cryptographic verification.

Secret Theft, AI Agent Manipulation, and Destructive Persistence

Beyond package poisoning and credential theft, Hades introduces several additional capabilities designed to maximize long-term impact:

• Extraction of secrets directly from GitHub Actions runner memory without writing data to disk or generating suspicious network traffic.
• Targeting of configuration files and rule sets associated with 14 different AI agents and platforms.
• Deployment of custom prompts and execution hooks that automatically launch malicious Bun commands when AI assistants interact with infected workspaces.
• Establishment of persistent access on compromised systems.
• Continuous monitoring of stolen authentication tokens.
• Automatic activation of a destructive wiper component if a stolen token is revoked, resulting in the deletion of user files.

A Glimpse Into the Future of Cyber Threats

The Hades Campaign demonstrates how modern malware is evolving beyond traditional exploitation techniques. By combining supply-chain compromise, memory scraping, AI manipulation, credential theft, cryptographic trust abuse, lateral movement, and destructive capabilities within a self-propagating worm, the operation illustrates a new generation of cyber threats.

Perhaps the most concerning development is the direct targeting of AI-driven security systems. As organizations increasingly integrate LLM-powered tools into development and security workflows, attackers are beginning to treat those systems as attack surfaces in their own right. Hades serves as a powerful reminder that the future of cybersecurity will involve defending not only software and infrastructure but also the decision-making mechanisms of artificial intelligence.