Skip to content
Security & Trust

Hades: PyPI Supply Chain Attack Harvests MCP Configs, Fights AI Scanners

19+ poisoned PyPI packages deploy a Bun-based credential stealer targeting AI developer configurations. The malware sends decoy traffic to Anthropic servers and uses prompt injection to evade AI-based security tools.

· 6 min read
Share on X LinkedIn
Hades: PyPI Supply Chain Attack Harvests MCP Configs, Fights AI Scanners

Supply Chain Malware That Fights Back Against AI

Between June 5 and June 8, 2026, security researchers at StepSecurity identified a coordinated supply chain attack across 19+ PyPI packages. The campaign, dubbed "Hades," targeted packages in the scientific computing and machine learning ecosystem — including typosquats of ensmallen (a graph ML library) and bioinformatics tools. Researchers identified 37 malicious wheel files distributed across these packages.

What makes Hades different from every supply chain attack that preceded it: the malware is specifically designed to harvest AI developer configurations, and it deploys prompt injection techniques to confuse AI-powered security scanners analyzing the code. This is not malware that incidentally affects AI tooling. It is malware engineered to exploit the AI development stack and defend itself against AI-based detection.

19+
Poisoned PyPI packages
Targeting scientific computing and ML ecosystems. Source: StepSecurity, June 5-8, 2026.
37
Malicious wheel files
Distributed across ensmallen typosquats and bioinformatics tools. Source: StepSecurity, Dark Reading, June 2026.

The Claude/MCP Configuration Harvest

The Hades payload deploys a Bun-based credential stealer that scans infected machines for a specific set of files: Claude Desktop configuration, MCP (Model Context Protocol) server configs, API keys stored in environment files, and local AI tool settings. These configuration files contain API keys, server endpoints, tool definitions, and authentication tokens that give an attacker direct access to an organization's AI infrastructure.

MCP configurations are particularly valuable targets. A single MCP config file can contain connections to databases, internal APIs, code repositories, and cloud services — the entire surface area that an AI agent is authorized to access. Stealing an MCP config is not stealing a password. It is stealing a map of every system the AI agent can touch, along with the keys to each one.

Claude Desktop + MCP configs
Primary targets
Bun-based stealer harvests AI developer tool configurations. Source: StepSecurity advisory, June 2026.

Decoy Traffic to Anthropic Servers

The Hades malware generates decoy HTTPS traffic to legitimate Anthropic API endpoints. From a network monitoring perspective, this traffic looks indistinguishable from normal Claude API usage. Security operations teams reviewing network logs see expected traffic to expected destinations. The actual exfiltration channel is buried under a volume of legitimate-looking API calls.

This technique exploits a fundamental assumption in network security: traffic to known-good destinations is safe. When a development machine sends requests to api.anthropic.com, no firewall flags it. No SIEM alerts on it. The attacker uses the trust that organizations place in their AI vendor's infrastructure as camouflage for data theft.

Prompt Injection as an Evasion Technique

Hades embeds prompt injection payloads within its source code — strings designed to manipulate AI-based code scanners into classifying the malware as benign. As organizations increasingly deploy LLM-powered security tools to scan packages, dependencies, and pull requests, Hades is the first documented case of supply chain malware that specifically targets these AI defenders.

The implications extend beyond this single campaign. If AI security scanners can be manipulated by the code they are scanning, the detection model is compromised at a fundamental level. Every AI-powered code review tool, every LLM-based vulnerability scanner, every automated PR reviewer is now a potential target for adversarial manipulation. The defenders are being weaponized.

Prompt injection in source code
Evasion method
First documented use against AI-based security scanners. Source: Dark Reading, June 8, 2026.

The Framework Exposure Map

Hades targeted PyPI — the Python package ecosystem that underpins Django, Flask, FastAPI, and every Python-based web framework. Any development team using pip install with scientific or ML dependencies was in the blast radius. But the attack's targeting of MCP configurations means the risk extends to any framework whose development workflow includes AI-assisted coding tools.

WebPulse tracks supply chain health as a dimension of framework security scoring. The Hades campaign adds a new variable: frameworks whose ecosystems are popular among AI/ML developers face elevated supply chain risk because their packages are targeted specifically for AI credential harvesting. Python frameworks sit at the intersection of AI development and web infrastructure, making them the highest-value targets for this class of attack.

The machine-to-machine web is not just being crawled. It is being poisoned. Supply chain malware now harvests AI configurations, hides behind AI vendor traffic, and fights back against AI defenders. The era of assuming that AI tools add only capability, not attack surface, ended on June 5, 2026.

Share this insight