AI Prompt Injection Masks Malware in 19 PyPI Science Packages

Security researchers identified a new wave of the Shai-Hulud supply-chain attack on June 8, 2026, compromising 19 science-focused Python packages on the Python Package Index (PyPI). The campaign, tracked as the Hades campaign by StepSecurity, targets specialized libraries used in genomic sequencing and Graph Machine Learning. These 19 core packages and 37 PyPI wheels execute malicious code immediately upon import. If you run bioinformatics or data science pipelines, this attack vectors directly into your research environments without requiring explicit installation scripts.

Evasion and Memory Extraction

The Hades malware introduces payloads designed to blind automated security tooling. The code contains prompt injection payloads targeting AI-based security scanners. When an automated AI analyst reviews the compromised repository, the embedded instructions command the model to classify the code as a benign test script. This technique bypasses standard gatekeeping mechanisms relying on LLMs for code review.

Once loaded, the malware deploys a memory-resident scraper focused on CI/CD runner environments. It targets /proc/<pid>/mem on Linux systems to extract transient credentials. The scraper specifically hunts for GitHub OIDC tokens, Kubernetes service account tokens, and AWS temporary credentials.

Attack Timeline and Scope

The shift to PyPI represents an escalation from previous Shai-Hulud waves targeting the npm ecosystem. Security firm JFrog noted the attackers operate a worm-like infrastructure, using stolen developer credentials to rapidly publish updates across other maintained packages.

Date	Target Ecosystem	Compromised Scope	Key Targets
May 11-12, 2026	npm	172 packages	TanStack, Mistral AI, OpenSearch
June 1, 2026	npm	30+ packages	Red Hat Cloud Services
June 8, 2026	PyPI	19 core packages	Bioinformatics, Graph ML

The May incidents demonstrated how OIDC credential theft allows attackers to sign and publish verified updates. The early June attacks similarly leveraged stolen tokens to publish malicious Red Hat updates. The Hades campaign applies this exact lateral movement strategy to the Python data science ecosystem.

Sandbox Detection and Wiping

The malware actively resists security analysis. If the code detects it is running within an isolated sandbox environment, or if outbound exfiltration requests fail, it activates a deterrent component. This wiper module attempts to delete the local filesystem and revoke existing developer tokens. This scorched-earth approach disrupts victim workflows and complicates post-incident forensics for security researchers.

Audit your build environments for unusual memory access patterns targeting /proc/<pid>/mem. Pin all dependencies using hash-based verification in requirements.txt or Pipfile.lock to prevent automated updates to compromised versions. Any developer interacting with Graph ML or bioinformatics packages around June 8 must immediately rotate all cloud, Kubernetes, and repository tokens.