Miasma Worm Hits GitHub, PyPI, AI Agents (2025)

Miasma Worm Targets AI, GitHub, PyPI in Supply Chain Attack

The Miasma worm, a sophisticated variant of the Mini Shai-Hulud malware, has expanded its attack vectors, actively compromising GitHub repositories, targeting AI coding agents, and infiltrating the Python Package Index (PyPI) ecosystem. This coordinated campaign, also tracked with the Hades cluster designation for its PyPI operations, has impacted many targets, including 123 GitHub repositories, over 50 npm packages, and 448 distinct artifacts across both npm and PyPI registries. High-profile targets such as Microsoft Azure's durabletask repository have fallen victim, alongside popular projects like icflorescu/mantine-datatable and numerous bioinformatics and deep-learning toolkits.

Threat actors are using stolen Personal Access Tokens (PATs) to push malicious commits directly into GitHub repositories, introducing configuration files designed to auto-execute a credential-harvesting payload. This multi-stage attack targets developer environments, detonating when repositories are opened in AI coding agents like Claude Code, Gemini CLI, Cursor, or even standard Integrated Development Environments such as VS Code. The underlying mechanism also extends to the Python ecosystem, where malicious .pth files are being deployed to trigger a similar Bun-based payload during Python startup, broadening the supply chain compromise.

The campaign's intricate design demonstrates a shift in adversary tactics, moving beyond traditional package manager hooks to exploit editor auto-run features and Python's native startup mechanisms. This adaptability ensures persistent access and solid credential exfiltration capabilities across different development pipelines. The Miasma operation shows the increasing sophistication of supply chain attacks. These attacks use legitimate developer tools and trusted repositories for widespread infection and data theft.

How is the Miasma Worm Exploiting AI Coding Agents and GitHub Repositories?

The Miasma worm is exploiting AI coding agents and GitHub repositories by injecting malicious configuration files directly into legitimate projects through compromised maintainer accounts and stolen Personal Access Tokens. This approach bypasses traditional package manager security checks and initiates a credential-harvesting payload upon common developer actions.

On June 3, 2026, the Miasma worm was observed pushing commits to GitHub source repositories, circumventing package registries. An attacker used a commit titled chore: update dependencies [skip ci] to add six files to target repositories, including five configuration files designed to auto-execute a payload named .github/setup.js. These triggers were crafted to use legitimate auto-run features in various developer tools:

• Claude Code and Gemini CLI: Both use a SessionStart hook in .claude/settings.json and .gemini/settings.json to run a shell command (node .github/setup.js) when an agent session opens.
• Cursor: Uses an always-applied project rule in .cursor/rules/setup.mdc that instructs the agent to execute node .github/setup.js, using prompt injection against the AI assistant.
• VS Code: Uses a task in .vscode/tasks.json configured to run node .github/setup.js automatically when the folder is opened.
• npm: The package.json file is modified to hijack the test script, so npm test also detonates the payload.

The dropper, .github/setup.js, is a JavaScript file that builds a string from a character-code array, applies a Caesar shift (observed as ROT-4 in this wave, differing from the ROT-9 in earlier Miasma campaigns), and executes the result via eval. This decoded loader then uses node:crypto to decrypt two hardcoded blobs, _b (bootstrap) and _p (the worm). The loader writes _p to a random temporary file and executes it using the Bun JavaScript runtime, downloading Bun directly from GitHub if not already present on the host. This ensures the worm runs in an isolated environment, avoiding reliance on the victim's existing Node.js or Python installations. This technique is similar to how the Miasma worm has previously targeted npm supply chains, as documented in analysis concerning Miasma's impact on Red Hat npm supply chain.

Blast Radius and Exfiltration of the GitHub Arm

The initial wave of attacks against icflorescu saw the same malicious commit land in five repositories within a 49-second window, indicating automated propagation. These five repositories collectively account for 1,459 GitHub stars, with mantine-datatable contributing 1,225 alone.

A broader GitHub code search identified 123 repositories across dozens of accounts containing similar malicious configurations. This includes official projects like Microsoft Azure's durabletask (Azure/durabletask) which has 1,718 stars, metersphere/helm-chart, and Azure-Samples/llm-fine-tuning. For the Azure/durabletask repository, the attacker used a stolen Personal Access Token from a legitimate Microsoft contributor and backdated the commit timestamp to 2020 to conceal it within a dormant branch. This widespread compromise aligns with the documented self-propagation capabilities of the Shai-Hulud family of malware, which harvests GitHub tokens with write access from prior infections to propagate itself. Related research, such as the Miasma worm targeting Microsoft and GitHub, provides more details on this variant's propagation through GitHub.

The worm's payload is a multi-cloud credential harvester, designed to scan for and exfiltrate secrets from environments including AWS, Azure, GCP, Vault, Kubernetes, npm, and GitHub. Exfiltration occurs to attacker-created public GitHub repositories, which serve as dead-drops. Identified exfiltration accounts include liuende501 (236 dead-drop repos for the npm arm), and windy629 (200+ repos) and HerGomUli for the source-repo arm. These dead-drop repositories typically carry descriptions such as Miasma - The Spreading Blight or the reversed string niagA oG eW ereH :duluH-iahS ("Shai-Hulud: Here We Go Again"). The timing of these activities, with dead-drop creation often preceding repository pushes by seconds, shows token theft and subsequent propagation are integrated.

Indicators of Compromise for GitHub Arm

What is the "Hades Cluster" and Its Impact on PyPI?

The Hades cluster is a new arm of the Shai-Hulud and Miasma malware lineage, targeting Python developers through a supply chain attack on the Python Package Index (PyPI). This intrusion compromised multiple popular open-source packages, injecting malicious code via maintainer account takeovers to steal credentials.

The attack uses Python's .pth files, which typically add directory paths to the system environment but also execute lines starting with an import statement during interpreter initialization. The compromised PyPI releases shipped a *-setup.pth file that automatically attempts to execute during Python startup, without requiring an explicit package import. This subtle execution trigger allows the malware to bootstrap its payload instantly, even during local test runs or CI/CD jobs. This poses a significant risk before any code review. The use of such evasive execution methods shows the challenges in securing modern software supply chains. The Miasma worm has previously used similar tactics, as shown in analyses of the Miasma worm targeting the npm supply chain.

Once triggered, the malicious .pth file downloads a standalone copy of the Bun JavaScript runtime directly from GitHub. This cross-runtime execution technique allows the malware to run complex JavaScript payloads on a Python system, bypassing assumptions about the availability of Node.js or Python environments. The malware builds its own isolated execution engine within local temporary directories. The underlying JavaScript payload then executes a sweeping search for sensitive credentials, including cloud authentication tokens (AWS, Google Cloud, Azure, Kubernetes), private SSH keys, npm access tokens, and PyPI access tokens.

The Hades cluster has been linked to 448 affected artifacts spanning both npm and PyPI registries, which shows the broad reach of this campaign. For stealthy exfiltration, the malware uses legitimate cloud platforms as network camouflage, sending decoy traffic to Anthropic AI servers. The actual exfiltration occurs via automated GitHub interactions, where the payload creates public code repositories to host stolen data, marked with specific descriptions like Hades - The End for the Damned. The campaign has impacted scientific research communities. It compromised established bioinformatics and deep-learning toolkits that collectively have hundreds of thousands of cumulative downloads.

How is the Pink Extortion Group Bypassing MFA and Exfiltrating Cloud Data?

The Pink Extortion Group, tracked as CL-CRI-1147 and linked to the broader Com network, is bypassing multi-factor authentication (MFA) and exfiltrating cloud data primarily through voice phishing (vishing) scams. This method targets corporate users to gain initial access before using legitimate cloud services for data theft and extortion.

The Pink Extortion Group avoids traditional malware deployment, instead relying on social engineering. Threat actors impersonate internal IT personnel via phone calls, manipulating employees into visiting credential-stealing domains such as passkeyaddcom or passkeydeploy.com. When an employee enters their login details on these malicious sites, the attackers steal their active login session, bypassing MFA defenses.

With compromised credentials, the group gains access to the victim organization's Microsoft 365 environment. They then exploit Microsoft's own automated tools to sweep and exfiltrate sensitive files from OneDrive and SharePoint folders within minutes. This strategy allows them to operate under the guise of legitimate user activity. This makes detection challenging for standard security controls. Following data exfiltration, the Pink Extortion Group starts an extortion phase. They use the compromised employee accounts to send internal emails and Microsoft Teams messages to co-workers and executives, demanding payment and setting a 72-hour deadline for a response. The group launched a dedicated data leak site on May 31, 2026, listing initial victims. This confirms their intent for public exposure if demands are not met.

Forensic analysis by Gurucul revealed that Pink uses fileless methods to maintain persistence and evade detection on local workstations. The malware deploys small code commands that hide within legitimate system paths and constructs its main operational code directly in the computer's temporary memory cache, making it invisible to conventional antivirus scanners. The code also includes checks for sandbox or analysis laboratory environments, adapting its behavior to avoid detection during security analysis. The group's reliance on legitimate cloud tools and authentic account access requires a shift in defensive strategies, focusing on behavioral monitoring and employee training to verify suspicious communications.

What Vulnerability is Actively Exploited in Everest Forms Pro?

Hackers are actively exploiting CVE-2026-3300, an unauthenticated remote code execution (RCE) vulnerability in the Everest Forms Pro plugin, versions 1.9.12 and earlier, to take complete control of WordPress websites. This flaw allows threat actors to create rogue administrator accounts and perform arbitrary actions on compromised sites.

The CVE-2026-3300 vulnerability resides in the Everest Forms Pro plugin's Complex Calculation feature. This feature accepts user-submitted values from form fields and directly inserts them into a PHP code string, which is then executed using PHP's eval() function. Although the user input passes through a sanitize_text_field() function, this sanitization mechanism does not escape single quotes (') or other characters that can manipulate PHP syntax.

Attackers exploit this oversight by submitting a value that closes the intended string literal, injects arbitrary PHP code, and then comments out the remaining generated code to prevent syntax errors. Specifically, telemetry data from Wordfence indicates that attackers are injecting a PHP statement that calls wp_insert_user() to create a new administrator account with the username diksimarina. Once this malicious administrator account is created, attackers gain full control over the compromised WordPress site, allowing them to modify content, install plugins and themes, establish backdoors, and access private databases.

The vulnerability was initially reported by researcher h0xilo in February 2026, and a patch addressing the issue was released by the Everest Forms developer on March 18, 2026. However, active exploitation of CVE-2026-3300 began on April 13, 2026. Wordfence firewalls have blocked over 29,300 attempts to exploit this flaw. The majority of these exploitation attempts originate from specific IP addresses, 202.56.2[.]126 and 209.146.60.26. Website administrators are advised to update Everest Forms Pro to a patched version immediately. They should also review server logs for suspicious activity and check for unauthorized administrator accounts, especially those containing the string diksimarina.

What are the Details of the Chandrapur Cancer Hospital Ransomware Attack?

The Chandrapur Cancer Care Foundation (Cancer Hospital), located in Chandrapur, India, was hit by a ransomware attack that encrypted its entire database, with hackers demanding a ransom of 1.23456 Bitcoin, valued at approximately Rs 75 lakh (approximately 90,000 USD at the time of the incident). This cyberattack disrupted the hospital's operations and patient management systems.

The incident was first detected on June 1, 2026, at around 7:30 AM, when the hospital's IT department identified a technical issue with the main server. Upon investigation, staff discovered a ransomware message displayed on the server, confirming unauthorized access and data encryption. The attackers had encrypted patient records, treatment histories, and administrative information, making the hospital's database inaccessible.

The ransom note demanded a payment of 1.23456 Bitcoin for a decryption key, with the hackers claiming that access would be restored only after the payment was made and assuring that the compromised information would not be shared. The attack has had a major impact on the hospital's information management system, causing disruptions to daily operations and patient care. Authorities are currently investigating how the attackers breached the hospital's network, showing the persistent threat ransomware poses to healthcare infrastructure.

Technical Takeaways

• The Miasma/Shai-Hulud malware family has expanded its attack surface, moving past npm package manager hooks to target AI coding agent configurations and Python's native .pth startup files for initial execution.
• The use of the Bun JavaScript runtime is a consistent fingerprint across Miasma and Hades cluster campaigns, allowing cross-runtime payload execution and creating an isolated environment for credential harvesting.
• Threat actors are using stolen GitHub Personal Access Tokens (PATs) to inject malicious commits directly into many public and official repositories, including Microsoft Azure's durabletask, which shows the effectiveness of account takeover in supply chain attacks.
• The Pink Extortion Group uses a social engineering approach by using vishing to bypass MFA and then using legitimate Microsoft 365 tools to exfiltrate data from OneDrive and SharePoint for financial extortion.
• Active exploitation of CVE-2026-3300 in Everest Forms Pro shows how improper input sanitization in WordPress plugins can lead to unauthenticated remote code execution and site compromise, and creates rogue administrator accounts.
• Ransomware continues to threaten infrastructure, as seen in the Chandrapur Cancer Care Foundation incident, which saw a demand for 1.23456 Bitcoin to restore encrypted patient and administrative data.