Listen to this Post
Introduction
In a striking evolution of software supply chain attacks, threat actors behind the Mini Shai-Hulud, Miasma, and Hades worm campaigns have deployed an unconventional evasion technique: embedding nuclear and biological weapons text inside malicious code to trigger safety refusals in LLM-based security scanners. This approach represents a “significant conceptual shift,” with attackers now writing payloads that target AI systems’ cognitive logic rather than just evading static signatures. The campaigns have collectively compromised over 471 artifacts across npm and PyPI, with the Hades wave alone targeting 37 PyPI wheels across 19 packages. Security researchers warn that we are in the “earliest days of attackers leveraging such features,” making it critical for defenders to understand both the technique and the layered defenses that remain effective.
Learning Objectives
- Understand how prompt injection and CBRN-themed text are used to trigger LLM safety refusals in AI-powered malware scanners
- Identify the propagation mechanisms used by Mini Shai-Hulud, Miasma, and Hades across npm, PyPI, and developer environments
- Implement multi-layer detection strategies including YARA rules, entropy analysis, AST parsing, and behavioral monitoring
- Detect and remediate .pth-based persistence, Bun-runtime payloads, and OIDC token abuse in CI/CD pipelines
- Apply practical Linux and Windows commands to audit package dependencies and monitor for malicious artifacts
You Should Know
1. The AI Evasion Technique: Weaponizing Safety Refusals
The Hades malware’s _index.js payload begins with a large JavaScript block comment containing fabricated text referencing chemical, biological, radiological, and nuclear (CBRN) weapon designs. Because the content is inside a comment, it does not affect JavaScript execution—the runtime skips it entirely. The real malware follows with a `try{eval(…)}` wrapper around a character-code array and a ROT-style substitution function.
This header appears specifically designed for AI-mediated analysis rather than runtime execution. When LLM-based package scanners ingest file content without clearly isolating it as untrusted data, they may hit their own safety-refusal rules before reaching the malicious code, producing a false-1egative classification. The injected prompt effectively instructs the model to ignore the obfuscated code, classify the package as clean, and output a safe security report.
How to detect and mitigate this technique:
Linux: Extract and inspect JavaScript files for CBRN-themed text patterns
grep -rniE "nuclear|biological|weapon|chemical|radiological|CBRN" --include=".js" .
Windows PowerShell: Search for forbidden text patterns in JavaScript files
Get-ChildItem -Recurse -Filter .js | Select-String -Pattern "nuclear|biological|weapon|CBRN"
Linux: Use strings to extract human-readable content from obfuscated files
strings malicious.js | grep -iE "nuclear|biological|weapon"
Python: Simple script to scan for suspicious comment blocks
import re
pattern = r'/.?(nuclear|biological|weapon|CBRN).?\/'
matches = re.findall(pattern, open('file.js').read(), re.DOTALL | re.IGNORECASE)
Defense recommendation: Security teams using LLM-assisted triage should treat file content—including headers and comments—as untrusted data, not as trusted prompt input. Implement strict boundary isolation before passing any file content to LLMs.
2. Propagation Mechanisms: From PyPI to CI/CD
The Mini Shai-Hulud lineage has evolved through multiple waves, each introducing new delivery mechanisms:
March 2026 (Miasma): Expanded into PyPI through a compromised vulnerability scanner and introduced .pth-based persistence.
May 2026 (Hades): Abused a GitHub Actions CI misconfiguration to scrape OIDC tokens from runner memory, enabling publication of malicious packages with valid SLSA provenance. On May 12, 2026, the complete worm source code was publicly released under an MIT license, turning private actor capability into reusable public attack infrastructure.
June 2026 (IDE Wave): Extended attack surface into IDE configuration files, contributing to the disabling of 73 Microsoft repositories.
The newer bioinformatics subcluster uses trojanized native `.abi3.so` extensions that execute the JavaScript payload at import time. The `langchain-core-mcp` variant uses a `.pth` startup hook but changes payload discovery logic by searching across sys.path, creating a loader and payload split that evades detection rules expecting `_index.js` to be inside the same wheel.
Detection commands:
Linux: Find suspicious .pth files in Python site-packages
find /usr/lib/python/site-packages/ -1ame ".pth" -exec grep -l "import|exec|eval" {} \;
Linux: Check for unexpected .pth files with unusual names
find /usr/local/lib/python/dist-packages/ -1ame ".pth" | grep -vE "easy-install|setuptools|pip"
Windows PowerShell: Find .pth files in Python directories
Get-ChildItem -Path C:\Python\Lib\site-packages\ -Filter .pth | Select-String -Pattern "import|exec"
Linux: Monitor Python site-packages for unexpected .pth file creation (auditd)
auditctl -w /usr/lib/python/site-packages/ -p wa -k python_pth_changes
Defense recommendation: Monitor Python site-packages for unexpected `.pth` files, particularly ones with unusual names (leading hyphens, non-package names). They execute at every interpreter startup and survive package reinstalls.
3. The Bun Runtime Payload: Cross-Environment Credential Theft
Once executed, the malware deploys a precompiled Bun JavaScript runtime and executes its JavaScript payload. Bun allows the malware to run complex JavaScript tasks in environments lacking a Node.js installation, bypassing traditional package manager controls and proxy logs.
The payload targets a wide range of high-value secrets:
- GitHub, npm, PyPI, RubyGems, and JFrog credentials
- AWS, GCP, Azure, and Kubernetes service account material
- SSH keys, Docker configuration, and shell histories
- .env files and package registry credentials
- AI developer tool configurations (Claude/MCP, Cursor, VS Code)
The malware also scrapes Linux memory mappings and introduces tailored macOS and Windows memory scrapers to extract sensitive, encrypted data.
Detection and investigation commands:
Linux: Check for Bun runtime presence (unexpected installation) which bun || find / -1ame "bun" -type f 2>/dev/null Linux: Monitor for unexpected Bun execution ps aux | grep -E "bun|node" | grep -v grep Linux: Check for unusual JavaScript files in package directories find / -1ame "_index.js" -o -1ame ".js" -path "/site-packages/" 2>/dev/null Windows PowerShell: Check for Bun installation Get-Process -1ame "bun" -ErrorAction SilentlyContinue Get-ChildItem -Path C:\ -Filter "bun.exe" -Recurse -ErrorAction SilentlyContinue Linux: Examine JavaScript payload for obfuscation patterns file _index.js head -1 50 _index.js | cat -v Show non-printable characters
4. OIDC Token Abuse and SLSA Provenance Exploitation
A particularly sophisticated aspect of the campaign involves the abuse of GitHub’s OIDC-based trusted publishing. Attackers steal OIDC tokens from runner memory, then exchange those tokens for npm publish rights. This allows them to publish malicious packages with valid SLSA provenance signatures, making the malicious artifacts appear as legitimate trusted updates.
The attack pattern is especially dangerous because no npm token is stolen and no maintainer is changed—packages are published by the organization’s own automated release pipeline using its legitimate trusted identity. This means two-factor authentication and routine token rotation alone do not contain this threat.
Audit commands:
GitHub Actions: Audit pull_request_target usage
gh api repos/{owner}/{repo}/actions/workflows --jq '.workflows[] | select(.name | contains("pull_request"))'
Check for workflows with id-token: write permission
grep -r "id-token: write" .github/workflows/
Linux: Check for unexpected workflow files
find .github/workflows/ -type f -1ame ".yml" -o -1ame ".yaml" | xargs grep -l "OIDC|id-token"
Monitor GitHub Actions runner for token scraping attempts
Linux: Check process memory for token patterns (forensic)
strings /proc//mem 2>/dev/null | grep -E "gh[bash]<em>[a-zA-Z0-9]{36}|github_pat</em>[a-zA-Z0-9]{22}_[a-zA-Z0-9]{59}"
Defense recommendation: Audit `pull_request_target` usage in GitHub Actions workflows; restrict privileged operations and secret access to non-fork contexts. Apply least-privilege principles using scoped, short-lived keys and tokens.
5. Multi-Layer Detection: What Still Works
Despite the AI evasion technique, traditional detection methods remain effective:
- YARA rules for pattern matching on suspicious strings and high-entropy content
- Entropy checks to identify obfuscated or packed code
- AST parsing to analyze code structure without executing it
- String extraction using `strings` and `grep` to reveal hidden content
- Deobfuscation routines to unpack encoded payloads
- Behavioral sandboxing to observe runtime activity in isolation
Sample YARA rule for Hades detection:
rule Hades_CBRN_PromptInjection {
meta:
description = "Detects Hades malware CBRN prompt injection in JavaScript"
author = "Security Team"
date = "2026-06-25"
reference = "https://socket.dev/blog/mini-shai-hulud-miasma-and-hades-worms"
strings:
$cbrn1 = "nuclear" nocase wide
$cbrn2 = "biological" nocase wide
$cbrn3 = "weapon" nocase wide
$cbrn4 = "chemical" nocase wide
$cbrn5 = "radiological" nocase wide
$eval = "eval("
$obf = "try{eval("
$comment_start = "/"
$comment_end = "/"
condition:
uint16(0) == 0x2f2a and // Starts with /
(2 of ($cbrn)) and
($eval or $obf)
}
rule Hades_Bun_Stealer {
meta:
description = "Detects Hades Bun-based credential stealer patterns"
author = "Security Team"
strings:
$bun = "Bun" nocase
$steal = "credentials" nocase
$github = "github" nocase
$token = "token" nocase
$fetch = "fetch("
$exfil = "exfil" nocase
condition:
($bun and $steal) or
($github and $token and $fetch) or
($exfil and $fetch)
}
Entropy analysis commands:
Linux: Calculate entropy of a file to detect obfuscation
python3 -c "import sys,math; data=open(sys.argv[bash],'rb').read(); e=sum(-freq/len(data)math.log2(freq/len(data)) for freq in [data.count(b) for b in set(data)]); print(f'Entropy: {e:.2f}')" suspicious.js
Linux: Use ent (entropy calculator)
ent suspicious.js
Windows PowerShell: Basic entropy calculation
$bytes = [System.IO.File]::ReadAllBytes("suspicious.js")
$freq = $bytes | Group-Object | ForEach-Object { $<em>.Count }
$entropy = ($freq | ForEach-Object { ($</em>/$bytes.Count) [bash]::Log2($_/$bytes.Count) } | Measure-Object -Sum).Sum -1
Write-Host "Entropy: $entropy"
6. Package Integrity Verification and Dependency Auditing
Given the supply chain nature of these attacks, rigorous package verification is essential.
npm verification:
Use npm ci instead of npm install for CI/CD (uses lockfile) npm ci Verify package integrity using lockfile npm audit Check for unexpected dependencies npm ls --depth=5 Use package-lock.json to verify expected hashes cat package-lock.json | grep -A 5 "integrity" Monitor for malicious npm packages npm audit --json | jq '.advisories[] | select(.severity == "critical" or .severity == "high")'
PyPI verification:
Verify PyPI package using pip and hash verification pip download --1o-deps package_name --dest /tmp/ sha256sum /tmp/package_name.whl Check against known hash Compare with expected hash from official sources List all installed packages with versions pip list --format=json Check for suspicious packages (typosquatting detection) pip list --outdated Audit Python packages for known vulnerabilities pip-audit
Dependency scanning:
Use OWASP Dependency-Check dependency-check --scan . --format HTML Use Snyk for vulnerability scanning snyk test Use Trivy for container and filesystem scanning trivy fs --severity HIGH,CRITICAL .
Defense recommendations from Zscaler ThreatLabz:
- Apply lockfiles strictly (
package-lock.json,pnpm-lock.yaml) and use `npm ci` instead of `npm install`
– Use private registry proxies and Software Composition Analysis (SCA) tools to filter and monitor third-party packages - Restrict open-source package consumption on corporate devices and CI systems to enterprise-open source package managers
- Reduce dependency surface by auditing and removing unused packages
- Enable phishing-resistant multifactor authentication (FIDO2, WebAuthn) on npm, PyPI, GitHub, and cloud platforms
- Revoke and rotate npm tokens, GitHub PATs, cloud keys, and CI/CD secrets on any suspected exposure
- Pin all CI/CD tool versions—scanners, formatters, runtimes—not just application dependencies
- Monitor repositories with publish permissions for orphan commits and unexpected workflow files
7. Incident Response and Remediation
If you suspect compromise by Mini Shai-Hulud, Miasma, or Hades:
Immediate response:
1. Isolate affected systems
2. Revoke all exposed credentials
Linux: Check for unauthorized .pth files
find / -1ame ".pth" -path "/site-packages/" -exec ls -la {} \; 2>/dev/null
Linux: Check for unauthorized cron jobs
crontab -l
cat /etc/crontab
ls -la /etc/cron.
Linux: Check for unauthorized startup scripts
ls -la /etc/init.d/
systemctl list-unit-files --state=enabled
Windows: Check for scheduled tasks
schtasks /query /fo LIST /v
Windows: Check for startup entries
Get-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Run"
Get-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run"
Linux: Check for unauthorized SSH keys
cat ~/.ssh/authorized_keys
Linux: Check shell history for suspicious commands
cat ~/.bash_history | grep -E "curl|wget|chmod|eval|base64|python|bun|node"
Credential rotation:
GitHub: Revoke and rotate tokens gh auth token Get current token Revoke via GitHub UI or API npm: Revoke tokens npm token list npm token revoke <token-id> PyPI: Revoke API tokens Via PyPI UI: Account settings → API tokens AWS: Rotate access keys aws iam create-access-key --user-1ame <username> aws iam delete-access-key --access-key-id <old-key-id> --user-1ame <username>
What Undercode Say
- Key Takeaway 1: The Hades/Miasma campaigns demonstrate that LLM-based security scanners are vulnerable to adversarial prompt injection when they treat file content as trusted input. Organizations relying solely on AI-powered analysis must implement strict boundary isolation and maintain traditional detection layers.
-
Key Takeaway 2: The open-sourcing of the worm source code under an MIT license in May 2026 has democratized this attack capability, lowering the barrier for entry and enabling a broader range of threat actors to conduct similar operations. This represents a permanent shift in the threat landscape for software supply chains.
-
Analysis: The evolution from targeting npm to PyPI, the abuse of OIDC-based trusted publishing, and the introduction of AI evasion techniques show a threat actor that is iterating rapidly across delivery mechanisms, package themes, and runtime triggers. The campaigns have tracked 471 affected artifacts across npm and PyPI, and the pace of new discoveries suggests this is far from over. The AI evasion technique is particularly concerning because it exploits a fundamental tension in LLM design: safety mechanisms intended to prevent harm can be weaponized to create blind spots. As Bruce Schneier noted, “we’ve gone from hiding bombs in random objects to hiding random objects in bombs”. Security teams must treat AI-assisted analysis as a complement to—not a replacement for—traditional static and behavioral detection. The cat-and-mouse game has entered a new phase, and defenders must adapt accordingly.
Prediction
-
-1 LLM-based security scanners will face increasing adversarial pressure as attackers refine prompt injection techniques. Safety refusals designed to prevent harm will continue to be weaponized, creating second-order vulnerabilities that require fundamental rethinking of how AI systems handle untrusted input.
-
-1 The open-sourcing of the Mini Shai-Hulud worm will lead to a proliferation of copycat attacks across additional package registries (RubyGems, Composer, etc.) and into enterprise environments. Organizations that have not implemented private registry proxies and strict dependency auditing remain at elevated risk.
-
+1 The visibility generated by public disclosures from Socket, StepSecurity, and Zscaler will accelerate the development of detection rules, YARA signatures, and automated remediation tools. Community-driven threat intelligence sharing will become increasingly critical.
-
-1 The abuse of OIDC tokens and SLSA provenance will force a reevaluation of trusted publishing mechanisms. The assumption that valid signatures equate to safe code will be challenged, potentially slowing adoption of supply chain integrity frameworks.
-
+1 Traditional static and behavioral detection methods—YARA, entropy analysis, AST parsing, and sandboxing—remain resilient against these AI evasion techniques. Organizations that maintain layered defenses will continue to detect and block these threats regardless of prompt injection attempts.
-
-1 The targeting of bioinformatics and MCP developers suggests threat actors are strategically selecting high-value, high-trust ecosystems where the impact of credential theft is maximized. This targeting pattern will likely expand to other specialized developer communities.
▶️ Related Video (78% Match):
https://www.youtube.com/watch?v=8YUVFBnOQlo
🎯Let’s Practice For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
IT/Security Reporter URL:
Reported By: Ilyakabanov Attn – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
