Hades Hides Malware Behind Prompt Injection Smoke

Key Takeaways

• Hades added prompt-injection text intended to mislead LLM-based package scanners.
• Researchers reported poisoned PyPI and JavaScript packages with credential theft and persistence features.
• The campaign targeted developer environments, including AI tool configuration paths.
• The incident shows that prompt injection is now appearing in real malware tradecraft.

Summary

The Hades campaign shows prompt injection moving from research demonstration into malware operations. By embedding instructions intended for LLM-based scanners, attackers attempted to cause AI analysis tools to classify malicious packages as safe or stop before reaching the payload.

What We Know

In mid-June 2026, researchers and media outlets reported a Hades malware wave tied to poisoned developer packages. Zscaler ThreatLabz described a June 8 PyPI wave that introduced prompt injection to mislead LLM-based security scanners. The Hacker News reported 19 poisoned PyPI packages that auto-ran a Bun-based credential stealer and included AI defense evasion content. Tom’s Hardware noted that the malware tried to trigger safety mechanisms in AI scanners. This qualifies for the PointGuard AI Security Incident Tracker because the AI angle is not incidental. Prompt injection was part of the evasion technique used against AI-enabled security analysis workflows.

What Happened

Hades used a software supply chain path: malicious packages were published or compromised in developer ecosystems, then executed in environments where developers or automation imported them. The campaign included credential theft, persistence behavior, sandbox evasion, and targeting of development configuration. The AI-specific component was the insertion of natural-language instructions aimed at LLM-based scanners or analyst assistants. Instead of only hiding code from static signatures, the attacker attempted to manipulate how an AI system interpreted the package. In some cases, the injected text was designed to make the model classify the package as safe or avoid continuing analysis by triggering safety guardrails. This is a procedural failure for organizations that use general-purpose AI models as package reviewers without strong tool isolation, deterministic analysis, and prompt-injection-resistant workflows. It also shows that attackers understand security teams are increasingly adding LLMs into triage pipelines.

Why It Matters

The campaign matters because developer systems are high-leverage targets. A poisoned package can reach source code, tokens, cloud credentials, CI/CD settings, and AI assistant configuration. If AI scanners can be tricked into skipping analysis or producing false confidence, organizations may approve malicious dependencies faster. The reputational impact is also significant for AI-enabled security vendors and internal teams that advertise automated package triage. Hades does not prove that all AI malware analysis is unsafe, but it does show that LLM-based analysis must be treated as an adversarial interface. For AI governance, the event reinforces the need to test AI security tools against prompt injection and to ensure that safety filters do not become denial-of-analysis mechanisms when attackers deliberately include prohibited content.

PointGuard AI Perspective

PointGuard AI helps organizations defend against this pattern by monitoring prompts, outputs, and agent behavior at runtime. The PointGuard AI Runtime Guardrails are designed to detect prompt injection and malware-related manipulation attempts, while enforcing policies that prevent unsafe or misleading model responses from becoming business decisions. The Prompt Injection vs. Indirect Prompt Injection explains why indirect prompt injection is dangerous when models consume untrusted content such as documents, web pages, tickets, or package metadata. For developer workflows, PointGuard AI can also support governance by mapping where AI tools are used, flagging risky agent actions, and creating evidence trails for security review. The lesson from Hades is that AI analysis should augment deterministic controls, not replace them. PointGuard AI supports that model by combining runtime detection, policy enforcement, and visibility so teams can use AI safely while assuming adversaries will try to manipulate it.

Incident Scorecard Details

Total AISSI Score: 7.4/10

Criticality = 7.5, Developer credentials, package ecosystems, and AI tool configurations are targeted., AISSI weighting: 25%

Propagation = 8.0, Malicious packages can spread through dependency installation and developer workflows., AISSI weighting: 20%

Exploitability = 7.0, Operational campaign activity and malicious packages were observed., AISSI weighting: 15%

Supply Chain = 8.5, The incident heavily depends on open-source package ecosystems and developer dependencies., AISSI weighting: 15%

Business Impact = 6.5, Credible operational risk exists, but confirmed enterprise losses remain limited in public reporting., AISSI weighting: 25%

Sources

• Zscaler ThreatLabz: Shai-Hulud Campaign Evolution, Miasma, Hades, and AI Scanner Evasion
• The Hacker News: Hades PyPI Attack
• Tom’s Hardware: New malware campaign tricks AI scanners
• PointGuard AI Security Incident Tracker
• PointGuard AI Runtime Guardrails
• Prompt Injection vs. Indirect Prompt Injection