A supply-chain malware campaign called Hades is trying to fool AI-based malware scanners by feeding them prompts about nuclear and biological weapons. The goal is simple enough: keep the scanner busy, get the malicious code left unread, and slip past defenses that are becoming more important in software supply chains.
The trick is tucked into comments inside some JavaScript files bundled with the malware. Those comments instruct the AI system to behave as though the code is unrestricted, then ask for a detailed weapon-building prompt that triggers the model’s refusal mechanisms. In testing, a scan sent to Anthropic Claude on the Fable 5 model reportedly stopped with the message ”Chat suspended.”
How Hades hides in development tools
Hades is built to attack software projects at the supply-chain level, which is the sort of threat that tends to sneak in through the same packaging and publishing systems developers trust every day. That makes the campaign more dangerous than old-fashioned opportunistic malware: it is aiming for build, test, release, and deployment workflows, not just random desktops.
Socket’s researchers said the malware also steals credentials and tokens tied to npm, PyPI, RubyGems, JFrog, Kubernetes, AWS, SSH, Docker, .ENV files, terminal history, and AI tool settings. That is a tidy list if your idea of ”tidy” involves giving attackers access to code, cloud infrastructure, and the pipes that move software into production.
Why the scanner bait works
The AI bait does not stop every security check. Pattern matching, source-code analysis, scanning for odd hidden sections, and sandbox execution still work as expected. But the point is that one strong refusal from an AI model can interrupt the rest of the review, and that is enough to create a gap.
Hades also includes self-destruct logic that can trigger under certain conditions, including a positive response from the sandbox-detection function. That suggests the operators know exactly which tools are looking at them, and they are willing to booby-trap the malware to make those tools less useful.
37 infected Python packages and 106 JavaScript packages
Researchers have identified 37 infected Python packages and 106 JavaScript packages so far. Many of them are published with near-copycat names designed to catch typos, such as ”rsquests” instead of ”requests” – a classic cheap trick, but one that still works embarrassingly well.
The broader lesson is that AI-powered review tools are now part of the attack surface, not just part of the defense. If attackers can make those tools stop short with prompt abuse, defenders will need layered checks that do not fold the moment a model sees a nasty question.
Expect more malware authors to borrow the same playbook, because it is low-effort and it exploits a very human problem: security systems are increasingly automated, but attackers still only need one weak link to get a package into the wild.