Malware Embeds Forbidden Text to Evade AI Analysis
Socket Security researchers documenting the Hades wave of the Mini Shai-Hulud/Miasma supply chain campaign found that malicious PyPI wheels targeting bioinformatics and Model Context Protocol (MCP) developers embed a fake prompt-injection header inside the obfuscated JavaScript stealer file. The header fills a JavaScript block comment with fabricated CBRN-themed text - references to nuclear and biological weapon designs - intended to trigger safety refusals in LLM-based package analysis tools, causing the scanner to halt before it reaches the actual credential-stealing payload. Citizen Lab researcher John Scott-Railton and security commentator Bruce Schneier both cited this as a concrete demonstration that aggressive LLM safety refusals create second-order attack surfaces. Traditional static analysis - YARA, grep, entropy checks, AST parsing, and behavioral sandboxing - remains effective against the underlying payload, which steals GitHub, GCP, Azure, and CI/CD secrets.
Background: Hades and the Shai-Hulud/Miasma campaign
Socket Security researchers identified the Hades wave as a PyPI branch of the ongoing Mini Shai-Hulud/Miasma supply chain campaign, which has now compromised more than 100 npm and PyPI packages. The Hades cluster specifically targeted bioinformatics utilities and packages used by Model Context Protocol (MCP) developers. Affected PyPI packages include bioinformatics tools such as embiggen, ensmallen, gpsea, pyphetools, and ppkt2synergy, as well as developer tooling packages including magique, executor-engine, and pantheon-agents, according to Socket.
The AI evasion technique
Per Socket's analysis, the malicious _index.js stealer file begins with a large non-executing JavaScript block comment packed with fabricated text referencing CBRN (chemical, biological, radiological, and nuclear) weapon designs. The comment does not affect runtime execution - the actual payload follows in an obfuscated character-code array with a substitution function - but it is positioned at the start of the file where LLM-based package scanners read first. According to Socket, LLM scanners that ingest file content without clearly isolating it as untrusted data may hit their own safety-refusal rules before reaching the malicious code, producing a false-negative classification.
Broader implications
Citizen Lab researcher John Scott-Railton wrote on X that this is "the cleanest practical example I can think of for why over-indexing on first order safety alignment is risky," adding that "when closed (and open) models ship with aggressive refusals, they will be sprinkled with second-order blindspots that attackers will discover and exploit." Bruce Schneier independently highlighted the technique, noting it illustrates a failure mode specific to AI-mediated triage pipelines that do not treat file content as untrusted data.
What the payload steals
Per Socket, the Hades JavaScript stealer - staged through a downloaded Bun JavaScript runtime - targets GitHub, npm, PyPI, RubyGems, JFrog, CircleCI, AWS, GCP, Azure, and Kubernetes credentials, along with Docker configurations, SSH keys, shell history, .env files, Claude/MCP configurations, and CI/CD runner secrets.
Defenses that remain effective
Socket, StepSecurity, and Schneier all note that conventional static and dynamic analysis is not affected by the LLM-refusal trick. YARA rules, grep/strings extraction, entropy analysis, AST parsing, deobfuscation routines, and isolated behavioral sandboxing reach the actual payload regardless of comment content. Security teams using LLM-assisted triage should treat file content - including headers and comments - as untrusted data, not as trusted prompt input.
Key Points
- 1The Hades wave of the Shai-Hulud/Miasma campaign planted CBRN-themed text in PyPI malware comments to trigger LLM safety refusals and evade AI-assisted package scanners, per Socket Security.
- 2Traditional static and dynamic analysis tools including YARA, grep, entropy checks, and behavioral sandboxes are not affected by the refusal trick and still detect the credential-stealing payload.
- 3Researcher John Scott-Railton framed this as an early example of attackers exploiting second-order safety alignment failures, warning more variants will follow as LLM-based security tooling spreads.
Scoring Rationale
A confirmed, named supply chain campaign (Hades/Shai-Hulud/Miasma) has operationalized LLM safety-refusal exploitation as a practical evasion technique in malicious PyPI packages, making this directly relevant to ML/AI security practitioners and developer tooling teams. The story is not paradigm-changing - conventional static analysis remains effective and the underlying campaign was already covered - but the AI evasion angle is novel, documented, and now actively exploited, warranting a notable-tier score. Schneier's and Scott-Railton's commentary elevates its signal value for the AI/security practitioner audience.
Sources
Public references used for this report.
Practice interview problems based on real data
1,625 SQL & Python problems across 15 industry datasets — the exact type of data you work with.
Try 250 free problems


