Hades Malware Turns AI Safety Refusals Into Camouflage
Socket Security found malware doing something genuinely new: embedding text about biological and nuclear weapons in its code. Not to build anything. The strings exist so that when an LLM-powered security scanner reads the file, the model's safety training trips, the model refuses to continue, the scan dies, and the payload is never inspected. A false negative, by design.
The campaign, dubbed Hades, is not a toy. Newer variants use .pth loaders and native extensions to launch Bun-powered JavaScript stealers that grab GCP, Azure, and CI/CD secrets the moment the package is installed. And the targets are pointed: bioinformatics developers and MCP developers, exactly the people whose machines are full of agent credentials. The story hit 223 points on Hacker News today.
Here is the inversion that makes this the security story of the week. Every attack we have covered in this genre, Miasma's poisoned repos, POISE's skill injection, the Bunq one-cent transfer, went after the agent through its inputs. Hades goes after the model's own safety layer. The refusal behavior that labs train in as protection becomes the attacker's cloaking device. The harder you tune refusals, the bigger the blind spot you hand to whoever figures out the trigger words.
The timing is almost too clean: days after Fable 5 shipped with bio and cyber safeguards as a headline feature, attackers demonstrated that those exact trigger categories make excellent camouflage. Scanner vendors now need models that can look at forbidden content and keep analyzing anyway, which is precisely what consumer-facing safety tuning forbids. Defensive AI and consumer AI just stopped being the same model.
Reporting: https://www.tomshardware.com/tech-industry/cyber-security/hades-malware-campaign-now-tricks-ai-bots-by-injecting-text-about-biological-and-nuclear-weapons-failsafe-mechanisms-triggered-by-prompts-for-weapon-creation-stop-scans-before-payload-is-seen β HN discussion: https://news.ycombinator.com/item?id=48495928
← Back to all articles
The campaign, dubbed Hades, is not a toy. Newer variants use .pth loaders and native extensions to launch Bun-powered JavaScript stealers that grab GCP, Azure, and CI/CD secrets the moment the package is installed. And the targets are pointed: bioinformatics developers and MCP developers, exactly the people whose machines are full of agent credentials. The story hit 223 points on Hacker News today.
Here is the inversion that makes this the security story of the week. Every attack we have covered in this genre, Miasma's poisoned repos, POISE's skill injection, the Bunq one-cent transfer, went after the agent through its inputs. Hades goes after the model's own safety layer. The refusal behavior that labs train in as protection becomes the attacker's cloaking device. The harder you tune refusals, the bigger the blind spot you hand to whoever figures out the trigger words.
The timing is almost too clean: days after Fable 5 shipped with bio and cyber safeguards as a headline feature, attackers demonstrated that those exact trigger categories make excellent camouflage. Scanner vendors now need models that can look at forbidden content and keep analyzing anyway, which is precisely what consumer-facing safety tuning forbids. Defensive AI and consumer AI just stopped being the same model.
Reporting: https://www.tomshardware.com/tech-industry/cyber-security/hades-malware-campaign-now-tricks-ai-bots-by-injecting-text-about-biological-and-nuclear-weapons-failsafe-mechanisms-triggered-by-prompts-for-weapon-creation-stop-scans-before-payload-is-seen β HN discussion: https://news.ycombinator.com/item?id=48495928
Comments