The New Supply Chain Threat ‘Miasma’: How AI Agents and IDE Config Files are Being Weaponized

📰 News Summary

• Exploitation of Auto-Execution via Config Files: An attack has been confirmed where shell commands are embedded in configuration files (like .claude/settings.json) within repositories, executing code as soon as developers open the folder.
• Wide-Ranging Target Tools: Major development tools and AI agents such as VS Code, Cursor, Claude Code, Gemini CLI, and npm have been targeted, focusing on their “session start hooks” and “task auto-execution” features.
• Spread of the Miasma Worm: A total of 121 repositories have already been affected, with about 4.3MB of obfuscated droppers (e.g., .github/setup.js) siphoning off sensitive data from AWS, GitHub, and Kubernetes.

💡 Key Points

• Bypassing “Trust Confirmation” Tactics: This attack exploits the psychological tendency of developers to click “Trust Workspace” without much thought, triggering the execution of malicious code in the subsequent auto-execution process.
• Embedding Commands for AI Agents: A sophisticated method involves injecting prompts like “Execute this code for environment setup” into Cursor’s project rules (.cursor/rules/setup.mdc).
• Advanced Obfuscation and Detection Evasion: The dropper is tailored to a size that avoids being indexed by GitHub’s code search, employing a dual-layer of protection with Caesar and AES encryption for the payload.

🦈 Shark’s Eye (Curator’s Perspective)

The idea that “config files are just metadata” has now become a glaring vulnerability! Especially with AI agents’ “SessionStart” hooks, it’s like leaving a backdoor wide open in exchange for convenience!

What’s remarkable about this news is that attackers are hacking the very “workflow of developers”. They’ve set up a seemingly legitimate setup file, .github/setup.js, to be called en masse from small configuration files, making it highly strategic and difficult to evade. Even looking at diffs (code differences), one might overlook the subtlety and think, “Oh, they just added some setup configurations,” which is exactly where this razor-sharp attack strikes!

🚀 What’s Next?

Moving forward, vendors of AI agents and editors will likely have to enforce stricter sandboxing and “full command disclosure prior to execution” for shell commands within config files. We are entering an era where the act of “opening a repository” itself will be redefined in terms of risk.

💬 HaruSame’s Take

Beware of features that are too convenient—they can bite back! Opening an unfamiliar repository in your main environment is like diving into a shark tank! The golden rule is to first observe in a controlled environment (like a Dev Container)!

📚 Terminology Explained

• Supply Chain Attack: A method that targets the vulnerable parts of the software development and distribution process (supply chain), spreading damage to all users involved.

• Prompt Injection: An attack that sneaks malicious instructions into commands directed at AI models, causing unintended operations. In this case, it directs the AI agent via configuration files.

• Dropper: A program that becomes a “mule” after infiltrating a computer, downloading and installing further viruses or malware.

• Source: Config Files That Run Code: Supply Chain Security Blindspot