Supply Chain Malware That Fights Back Against AI
Between June 5 and June 8, 2026, security researchers at StepSecurity identified a coordinated supply chain attack across 19+ PyPI packages. The campaign, dubbed "Hades," targeted packages in the scientific computing and machine learning ecosystem — including typosquats of ensmallen (a graph ML library) and bioinformatics tools. Researchers identified 37 malicious wheel files distributed across these packages.
What makes Hades different from every supply chain attack that preceded it: the malware is specifically designed to harvest AI developer configurations, and it deploys prompt injection techniques to confuse AI-powered security scanners analyzing the code. This is not malware that incidentally affects AI tooling. It is malware engineered to exploit the AI development stack and defend itself against AI-based detection.
The Claude/MCP Configuration Harvest
The Hades payload deploys a Bun-based credential stealer that scans infected machines for a specific set of files: Claude Desktop configuration, MCP (Model Context Protocol) server configs, API keys stored in environment files, and local AI tool settings. These configuration files contain API keys, server endpoints, tool definitions, and authentication tokens that give an attacker direct access to an organization's AI infrastructure.
MCP configurations are particularly valuable targets. A single MCP config file can contain connections to databases, internal APIs, code repositories, and cloud services — the entire surface area that an AI agent is authorized to access. Stealing an MCP config is not stealing a password. It is stealing a map of every system the AI agent can touch, along with the keys to each one.
Decoy Traffic to Anthropic Servers
The Hades malware generates decoy HTTPS traffic to legitimate Anthropic API endpoints. From a network monitoring perspective, this traffic looks indistinguishable from normal Claude API usage. Security operations teams reviewing network logs see expected traffic to expected destinations. The actual exfiltration channel is buried under a volume of legitimate-looking API calls.
This technique exploits a fundamental assumption in network security: traffic to known-good destinations is safe. When a development machine sends requests to api.anthropic.com, no firewall flags it. No SIEM alerts on it. The attacker uses the trust that organizations place in their AI vendor's infrastructure as camouflage for data theft.
Prompt Injection as an Evasion Technique
Hades embeds prompt injection payloads within its source code — strings designed to manipulate AI-based code scanners into classifying the malware as benign. As organizations increasingly deploy LLM-powered security tools to scan packages, dependencies, and pull requests, Hades is the first documented case of supply chain malware that specifically targets these AI defenders.
The implications extend beyond this single campaign. If AI security scanners can be manipulated by the code they are scanning, the detection model is compromised at a fundamental level. Every AI-powered code review tool, every LLM-based vulnerability scanner, every automated PR reviewer is now a potential target for adversarial manipulation. The defenders are being weaponized.
The Framework Exposure Map
Hades targeted PyPI — the Python package ecosystem that underpins Django, Flask, FastAPI, and every Python-based web framework. Any development team using pip install with scientific or ML dependencies was in the blast radius. But the attack's targeting of MCP configurations means the risk extends to any framework whose development workflow includes AI-assisted coding tools.
WebPulse tracks supply chain health as a dimension of framework security scoring. The Hades campaign adds a new variable: frameworks whose ecosystems are popular among AI/ML developers face elevated supply chain risk because their packages are targeted specifically for AI credential harvesting. Python frameworks sit at the intersection of AI development and web infrastructure, making them the highest-value targets for this class of attack.
The machine-to-machine web is not just being crawled. It is being poisoned. Supply chain malware now harvests AI configurations, hides behind AI vendor traffic, and fights back against AI defenders. The era of assuming that AI tools add only capability, not attack surface, ended on June 5, 2026.


