Table of Contents
On June 3, 2026, the Miasma worm hit two surfaces simultaneously. The npm registry arm published 57 malicious packages across 286+ versions, hiding the payload trigger in binding.gyp
files to evade lifecycle script scanners — covered in depth by StepSecurity and JFrog. This post documents the other arm: a parallel run of the same worm that skipped the registry entirely and pushed directly to GitHub source repositories.
An attacker pushed a commit titled chore: update dependencies [skip ci]
to icflorescu/mantine-datatable
and four sibling repos. The commit added no dependencies. It planted a 4.3 MB payload runner and wired it to execute automatically through five developer tools: Claude Code, Gemini CLI, Cursor, VS Code, and the npm test
script. The attack detonates when a developer clones one of the affected repos and opens it in an AI coding agent. The dropper is the same staged Bun , here repurposed for GitHub source-repo persistence rather than registry poisoning.
icflorescu was not the only maintainer hit. The same fingerprint appears across at least four accounts and more than a dozen repos, with the dropper recompiled per wave. The maintainer’s account was suspended during the incident, and his wife posted the disclosure on his behalf. The is a byte-level match for the Miasma family.
The commit #
The malicious commit on mantine-datatable
( f72462d9e5fa90a483062a83e9ffcb2edc57bf7e) is unsigned, authored as
github-actions <[email protected]>
, and adds six files:Five of those six files exist to launch the sixth. .github/setup.js
is the payload. Everything else is a trigger pointed at it, one per tool.
Five triggers, one payload #
The cleverness here is the trigger surface. Each config file abuses a legitimate auto-run feature of a different developer tool.
Claude Code and Gemini CLI both use a SessionStart
hook that runs a shell command when an agent session opens in the project:
Cursor uses an always-applied project rule that instructs the agent to run the file, social-engineering the assistant into executing it:
VS Code uses a task configured to run on folder open, so no agent is even required:
The package.json
change hijacks the test script, so CI and any developer running the project’s tests also detonate it:
Cloning the repo is safe. Opening it is not. A developer who clones mantine-datatable
to debug an issue and opens the folder in VS Code, or starts Claude Code in it, runs the payload with no further interaction.
The dropper #
.github/setup.js
is one statement wrapped in a try/catch
. It builds a string from a character-code array, applies a Caesar shift, and passes the result to eval
:
Decoding it statically (shift of 4, never executing it) yields an async . It pulls node:crypto
and AES-128-GCM decrypts two hardcoded blobs:
_p
is the worm. _b
is a bootstrap. The writes _p
to a random temp file and runs it under Bun, falling back to down Bun if the host does not have it:
_b
defines getBunPath()
, which fetches a pinned Bun release straight from the official GitHub mirror and marks it executable:
Running under Bun keeps the worm off the victim’s Node install. Bun ships its own TypeScript runtime, fetch, crypto, and shell, so the payload needs nothing from the host beyond the downloaded binary.
The decrypted _p
(SHA256 633c8410…1df5b64
, 667 KB) is the same Bun stealer family documented in the Miasma analysis: a multi-cloud credential harvester that scans for AWS, Azure, GCP, Vault, Kubernetes, npm, and GitHub secrets, exfiltrates to attacker-created public GitHub repos, and self-propagates with stolen tokens. We did not re-run the full payload analysis on this wave.
Blast radius: one worm, five repos, 49 seconds #
The same commit landed in five icflorescu
repos inside a 49-second window. The dropper is byte-identical across all five (SHA256 d630397d…873fdb8e
, 4,348,254 bytes): | Repo | Stars | Pushed (UTC) | HEAD commit |
|---|---|---|---|
| mantine-datatable | 1,225 | 22:38:51 | `f72462d9` |
| mantine-contextmenu | 170 | 22:38:59 | `9ef8b396` |
| next-server-actions-parallel | 56 | 22:39:19 | `01e00e78` |
| mantine-datatable-v6 | 3 | 22:39:29 | `6592194` |
| mantine-contextmenu-v6 | 5 | 22:39:40 | `5aa0201b` |
The five repos carry 1,459 GitHub stars between them, mantine-datatable
alone accounting for 1,225. Stars are a rough proxy for how many developers have the source checked out locally, which is the population this attack targets.
Every commit: unsigned, github-actions
identity, chore: update dependencies [skip ci]
, the same six-file footprint. A 49-second sweep across five repos is automation, not a human committing. This matches Shai-Hulud self-propagation: harvest a GitHub token with write access from a prior infection, then push the persistence payload into every repo the token can reach.
Beyond one maintainer #
icflorescu is one node. A GitHub code search for the launcher string node .github/setup.js
returns the same injection across other accounts. The matches GitHub has indexed so far:
| Account | Repos hit (indexed) | setup.js build |
Notes |
|---|---|---|---|
| icflorescu | 5 | d630397d… |
mantine-datatable et al |
| taxepfa | taxepfa.github.io | d630397d… (identical) |
same github-actions / [skip ci] commit |
| jagreehal | 7 (ai-sdk-guardrails, ai-sdk-ollama, autotel, effect-analyzer, es-temp-action, jagreehal-claude-skills, stencil-how-to-test-components) | `fec7d585…` | distinct build |
| mhar-andal | 2 (MyBlok, stock-forum-ethereum) | `0ecf3e7b…` | injected a `Gemfile` , so not npm-only |
Three distinct setup.js
hashes across four accounts means the dropper is recompiled per victim or per wave, not copied verbatim. The launchers and the staged- architecture are constant; the Caesar shift, the AES keys, and the resulting file hash rotate. Code search only covers indexed default branches and skips files over roughly 384 KB, so this is a floor, not a ceiling. The 4.3 MB setup.js
itself never indexes; the small launcher files are what give the campaign away.
For jagreehal
the impact extends beyond source repos. StepSecurity’s analysis of the June 3 npm arm confirms the same account had 50+ npm packages compromised — ai-sdk-ollama
, autotel
, awaitly
, executable-stories
, node-env-resolver
, and others — with 408,000+ monthly download packages like @vapi-ai/server-sdk
also hit in the same wave. The source-repo injection and the npm package poisoning ran in parallel off the same stolen token.
The exfiltration side
The worm exfiltrates stolen credentials to attacker-created public GitHub repositories. StepSecurity identified the primary exfil account for the npm arm as liuende501
, holding 236 dead-drop repos — 34 described Miasma - The Spreading Blight
and 195 carrying the reversed string niagA oG eW ereH :duluH-iahS
(decoding to “Shai-Hulud: Here We Go Again”). In our analysis of the source-repo arm, we found two additional exfil accounts: windy629
(200+ repos) and HerGomUli
, both using the same Miasma - The Spreading Blight
description. The existence of multiple exfil accounts points to either rotating infrastructure or parallel campaign nodes, not a single operator running one bucket.
The timing ties the two arms together: the dead-drop windy629/savage-styx-88946
was created at 22:38:26Z, roughly 25 seconds before the first push to mantine-datatable
at 22:38:51Z. Steal the token, dump the loot to a fresh dead-drop, then turn the same token on the victim’s own repos.
Attribution: Miasma #
The is the Miasma staged Bun , matched feature for feature: | Trait | Miasma (RedHat sample) | mantine wave |
|---|---|---|
| Outer cipher | `eval(function(s,n){...replace(/[a-zA-Z]/g...}` | identical harness |
| Caesar shift | ROT-9 | ROT-4 |
| | `_d=(k,i,a,c)=>createDecipheriv("aes-128-gcm")` , two blobs | identical |
| Bun pin | bun-v1.3.13 from oven-sh | identical URL |
| Temp artifacts | /tmp/p<rand>.js , /tmp/b-<rand>/bun | identical |
| Persistence | .claude/settings.json , .vscode/tasks.json | extends to .gemini , .cursor |
Two deltas mark this as a newer build. The Caesar shift moved from 9 to 4 and the AES keys differ (our _p
key is fe3ee188…
, not the documented fe0d71d5…
), so the dropper was recompiled. The persistence set grew: the documented worm planted Claude Code and VS Code configs; this wave adds Gemini CLI and Cursor. The AI coding agent attack surface is expanding with the malware.
How it got committed #
This is the part we cannot fully close. The github-actions <
identity is the default for commits made with a workflow’s [email protected]>GITHUB_TOKEN
, and any attacker can set it on a stolen-token push. The [skip ci]
tag suppresses CI so the push draws less attention. The 49-second multi-repo sweep, the unsigned commits, and the direct-to-main
writes all point to a stolen personal access token replayed by a script, consistent with Miasma’s credential-theft-and-propagate loop. We have not confirmed the initial access vector or whether a workflow run or a raw token push produced the commits.
Detection and remediation #
The published npm packages for these projects are clean. The risk is local, and it survives npm uninstall
. If you cloned any affected repo after June 2:
- Do not open the working copy in VS Code, Cursor, Claude Code, or Gemini, and do not run
npm test
. - Delete the working copy and reclone from a commit before the injection, or wait for the maintainer to revert.
- Grep any clone for the indicators below before opening it.
Treat unexpected .claude/
, .gemini/
, .cursor/
, and .vscode/
files in a diff as supply chain signals, not editor noise. These directories auto-execute code and most review workflows ignore them.
Indicators of compromise
File hashes — source-repo dropper (recompiled per wave)
| Account | setup.js SHA256 |
|---|---|
| icflorescu, taxepfa | d630397de8b01af0f6f5cf4463da91b17f28195a2c50c8f3f38ad9f7873fdb8e |
| jagreehal | fec7d585... |
| mhar-andal | 0ecf3e7b... |
_p payload (icflorescu wave) |
633c8410ee0413ca4b090a19c30b20c03f31598c25247c484846fa34c1df5b64 |
Planted files — source-repo arm
.github/setup.js
— the dropper.claude/settings.json
— Claude CodeSessionStart
hook.gemini/settings.json
— Gemini CLISessionStart
hook.cursor/rules/setup.mdc
— Cursor always-apply rule.vscode/tasks.json
— VS CodefolderOpen
taskpackage.json
—test
script hijackGemfile
— seen in Ruby project targets (mhar-andal
) Commit signature — source-repo arm
- Author:
github-actions <
, unsigned[[email protected]](/cdn-cgi/l/email-protection)> - Message:
`chore: update dependencies [skip ci]`
Exfiltration dead-drop accounts
| Account | Repos | Arm |
|---|---|---|
`windy629` | 200+ | source-repo (this analysis) |
`HerGomUli` | 1+ | source-repo (this analysis) |
liuende501 | 236 | npm registry (per StepSecurity) |
All dead-drop repos carry the description Miasma - The Spreading Blight
.
Runtime artifacts
- Bun download:
`hxxps://github[.]com/oven-sh/bun/releases/download/bun-v1.3.13/`
- Temp payload:
/tmp/p<random>.js
- Temp runtime:
`/tmp/b-<random>/bun`
npm packages — registry arm (57 packages, 286+ versions, per StepSecurity)
| Package | Malicious versions |
|---|---|
@vapi-ai/server-sdk |
0.11.1, 0.11.2, 1.2.1, 1.2.2 |
ai-sdk-ollama |
0.13.1, 1.1.1, 2.2.1, 3.8.5 |
jagreehal/* (50+ packages) | autotel, awaitly, executable-stories, node-env-resolver, wrangler-deploy families |
binding.gyp
SHA256:ef641e956f91d501b748085996303c96a64d67f63bfeef0dda175e5aa19cca90
(per StepSecurity) A quick local check on any clone:
A shift in delivery #
This is the same worm with a different mouth. The June 3 npm arm detonated at install time and hid the trigger well, bypassing conventional lifecycle-script scanners entirely. Both JFrog and StepSecurity document the technique: the attacker placed the in a binding.gyp
file instead of a package.json
lifecycle script. As JFrog describes it, “if a package has a binding.gyp
file at its root and no custom preinstall
or install
scripts in package.json
, npm falls back to running node-gyp rebuild
,” and “during the configuration step, node-gyp
parses the file and executes any command expansion inside <!(...)
syntax directly in the host shell.” StepSecurity confirms the specific payload used — a 157-byte binding.gyp
with "sources": ["<!(node index.js > /dev/null 2>&1 && echo stub.c)"]
— that fired node index.js
silently “before standard script checkers inspect package.json
hooks.”
The GitHub source-repo arm drops that vector entirely. No package, no install, no binding.gyp
. The trigger moved from npm install
to git clone
plus opening the folder. Same , same Bun payload, same dead-drop infrastructure — different detonation surface. The campaign followed its targets from the package manager to the editor.
Why this pattern matters #
The launcher set is the story. Supply chain malware historically relied on the package install hook: preinstall
, postinstall
, a setup.py
, or the binding.gyp
trick above. This wave skips the registry entirely and bets on the editor. Cloning a repo to read its source has always felt safe. AI coding agents and IDE auto-run features quietly changed that, and attackers noticed before most defenders did. A .cursor/rules
file that instructs an agent to run a script is a prompt injection that ships in the repo. A SessionStart
hook is a postinstall
for your editor. Related reading: Mini Shai-Hulud “Miasma” hits @redhat-cloud-services (our analysis of the registry arm), StepSecurity’s binding.gyp campaign analysis, JFrog’s Miasma deep dive, a threat model for malicious pull requests, and npm supply chain attacks targeting maintainers.
- github
- malware
- supply-chain
- shai-hulud
- ai-coding-agents
Author
SafeDep Team
safedep.io
Share
The Latest from SafeDep blogs #
Follow for the latest updates and insights on open source security & engineering
Axios Typosquats Deliver the Epsilon Stealer Two axios typosquats on npm, turbo-axios and faster-axios, form a campaign delivering Epsilon Stealer through a four-stage chain. The Electron infostealer grabs browser credentials, crypto wallets,...
Inside MicrosoftSystem64: A Supply Chain RAT Exfiltrating to HuggingFace Deep technical analysis of MicrosoftSystem64, an 81 MB Node.js SEA binary deployed via malicious npm packages. This RAT steals browser credentials, 80+ crypto wallet extensions, Telegram sessions,...
Mini Shai-Hulud "Miasma: The Spreading Blight" Hits @redhat-cloud-services: Multiple Packages at Risk The attacker compromised the @redhat-cloud-services GitHub Actions OIDC trusted publisher to ship [email protected] with a Mini Shai-Hulud worm. The same publisher controls 32 packages across the...
183 npm Packages Target Cloud and Finance via oob.moika.tech Two npm accounts published 164 malicious packages at version 99.99.99 targeting a cloud platform and a financial institution. Both campaigns share identical payload code, the same C2 endpoint, and...
Ship Code. #
Not Malware. #
Start free with open source tools on your machine. Scale to a unified platform for your organization.