Software supply-chain attacks are no longer just a dependency hygiene problem. They are becoming a workflow security problem that touches package managers, developer workstations, CI/CD systems, and now the AI tools many teams are beginning to use for code review and malware triage.
Zscaler ThreatLabz reported that the Shai-Hulud campaign has continued to evolve beyond earlier npm-focused activity, with newer waves touching PyPI packages, IDE and CI/CD trust paths, and command-and-control approaches designed to survive takedowns. One of the most important developments is the Hades PyPI wave: malicious package content reportedly included adversarial prompt-injection text intended to mislead automated LLM-based scanners into producing a clean verdict.
What changed
The campaign pattern matters because it combines several trends defenders are already struggling with:
- Package ecosystem hopping: activity associated with Shai-Hulud has moved beyond a single registry model, raising the odds that organizations will encounter related tradecraft through multiple developer workflows.
- Developer and CI/CD trust abuse: poisoned packages are valuable because they often execute in places that already hold secrets, build credentials, repository access, deployment tokens, and cloud permissions.
- Resilient tasking: the reporting describes infrastructure evolution that includes public-platform dead drops and harder-to-block communication paths, reducing dependence on one easy-to-seize domain.
- AI scanner evasion: prompt-injection text inside package content targets the analysis layer itself, not just the human reviewer or static signatures.
That last point is the new operational lesson. If a scanner sends raw package content into an LLM without hard separation between trusted instructions and untrusted sample content, the package can attempt to influence the scanner. A malicious file does not need to exploit the LLM in the traditional software sense; it only needs to persuade the model to ignore the suspicious payload, downgrade severity, or return an unusable answer.
Why this matters for SMBs and government contractors
Small teams and government contractors are adopting AI-assisted security and development tools because they reduce review time. That is useful, but it also creates a false sense of coverage if the tool’s result is treated as authoritative. A “clean” result from an AI scanner should not automatically mean the package is safe, especially when the scanned object can contain instructions designed for the model.
This is especially important in contractor environments where one compromised dependency can expose proposal material, client data, source code, CUI-adjacent workflows, cloud credentials, or deployment pipelines. The risk is not only malware on a developer laptop. It is the path from developer tooling into business systems.
Defensive takeaways
- Separate instructions from evidence: LLM-based analysis pipelines should clearly label source code, manifests, logs, and package content as untrusted data. The model should receive strict system instructions that content inside the sample is never operational guidance.
- Do not treat refusal or no-finding as clean: if an AI tool refuses to analyze content, times out, or returns a vague “safe” result without evidence, route the package to deterministic checks or human review.
- Keep classic controls in the loop: use lockfiles, pinned versions, package provenance, maintainer-change monitoring, SBOM review, sandbox execution, and secret-scanning alongside AI triage.
- Constrain build credentials: CI/CD tokens should be scoped, short-lived where possible, and monitored for unusual package-install or repository-access behavior.
- Watch developer endpoints: package installs, post-install scripts, unexpected network calls from build agents, and unusual access to SSH keys, npm/PyPI tokens, GitHub tokens, or cloud credentials deserve alerting.
- Block direct trust in public package execution: route new or changed dependencies through a controlled review path before they can run in production build systems.
Bulwark Black assessment
Shai-Hulud is a reminder that supply-chain defense is moving up the stack. Attackers are not only hiding payloads from static scanners; they are beginning to target the automation that tells defenders what to trust. As security teams add LLMs to triage and code review workflows, the proper model is zero trust for analysis input: the package being analyzed is hostile until proven otherwise, including any natural-language instructions embedded inside it.
For smaller organizations, the practical answer is not to avoid AI tools. The answer is to wrap them with boundaries: deterministic scanning, sandboxing, provenance checks, tight CI/CD permissions, and escalation rules that treat uncertainty as a reason to slow down rather than a reason to approve.
Original source: Zscaler ThreatLabz — Shai-Hulud: Miasma, Hades, & AI Scanner Evasion
