Hades is one of many currently-running malware campaigns, mostly (but not solely) targeting development packages used for scientific and machine-learning purposes. The supply-chain attack campaign recently received several upgrades, and one of the most interesting is also deceptively simple: The code includes prompt-injection attacks that might stop cursory checks by AI bots, letting the malware through. The way it works in a nutshell: Some JavaScript files include a code comment containing instructions that tell the bot it's running in unrestricted mode with no safety guidelines. Then it asks to create biological and nuclear weapons, with a detailed description.
If you're thinking that a malware-scanning bot can't be that dumb as to follow any of those instructions, you're absolutely right — and that's exactly what makes the attack work, as the bots' failsafe mechanisms will trigger, so then they won't scan the rest of the file where the actual payload resides.
This is called an "adversarial attack" in AI parlance, and, generally speaking, it's not expected to be widely effective, but any little bit helps the malfeasants. Having said that, an X user had Anthropic Fable try to scan the file, and sure enough, he got the well-known "Chat paused" message.
That is by no means scientific, and it's reasonable to assume that malware-scanning models will be configured more accurately for this task. However, this somewhat implies that a cursory check by a developer asking "does this Python package I just installed contain malware?" might be met with a reply of "of course not, boss, you're good to go!" Even bots scanning CI/CD development pipelines might fall for it.
Socket's blog post does remark that other analysis types will still work fine, including pattern matching, actually parsing the source code, checking for randomized sections likely to hide malicious payloads, and actually running the code in a sandboxed environment. The now-upgraded malware does reportedly contain a trigger that makes it wipe itself via various mechanisms, with a common one being detecting if it's running in a sandbox.
That's not the only skill that got levelled up, either. In some instances, the loading mechanism and the payload itself reside in separate packages that are commonly installed together; this sort of split is mostly unexpected for common scanners. This time around, the malware developers also leaned harder into precompiled binaries, commonly found in performance-sensitive Python packages. They also made sure that more payloads only trigger when the packages are actually initialized/run in the target's code (via Python's "import" statement), rather than when they're installed, further evading cursory detection.
The campaign likewise has stickier fingers overall: Rather than just mainly stealing CI/CD credentials, it now gets its grubby mitts on npm, PyPI, RubyGems, JFrog, and Kubernetes service account tokens, AWS temporary credentials, SSH keys, Docker configurations, shell histories, .env files, and AI developer tool configurations. As of this writing, an estimated 37 Python and 106 JavaScript packages are part of the expanded bombardment, including multiple typo-squatting instances, like "rsquests" instead of "requests."
You'd think that the target audience, comprised of scientific and AI engineers, would be mindful of common security practices like verifying the names and authorship of packages... and you'd be disappointed. From my own experience being a systems administrator for extremely well-paid AI engineers, a concerning number of them don't even know how to configure Git, or the basics of how email works. Let that sink in for a second.
Follow Tom's Hardware on Google News, or add us as a preferred source, to get our latest news, analysis, & reviews in your feeds.