Threat analysis · AI coding agent supply chain attack · agent input firewall · ← Reports
Miasma and Hades are a supply-chain worm class that turned repository configuration and Python startup files into execution triggers for developer and AI-agent environments. The shift is that execution moved from package install to folder open and interpreter start, because AI coding tools read and trust repo metadata, editor config, and startup files before a human inspects them. This validates the threat model Sunglasses was built for: agents ingest hostile repo text and config before they act. The honest response is pre-ingestion inspection — scan and filter hostile input before the agent reads it.
This report is precise about what Sunglasses catches today and what it is adding next. It does not claim Sunglasses blocks Miasma or prevents this incident; it describes measured coverage and named gaps.
Miasma is a supply-chain worm class that turned repository configuration and Python startup files into execution triggers, and Hades is the PyPI wave reported alongside it.
According to coverage from The Hacker News and Dark Reading, the campaign hit 73 Microsoft GitHub repositories and traces to a compromised durabletask publish path, with naming and lineage tied to the earlier Shai-Hulud class of self-propagating supply-chain malware. The defining move is not malicious code buried in application source. It is hostile, agent-readable configuration that turns the act of opening or reading a repository — or starting a Python interpreter after install — into execution.
For an AI coding agent, that distinction matters. These files are exactly the kind of input an agent reads and trusts as project context before a human reviews anything. That is why this is an AI coding agent supply chain attack and not only a classic package-install attack.
The incident unfolded across three reported dates, each adding a new execution surface. Source status is noted on each item; where a single primary source still needs confirmation, that is called out rather than printed as settled fact.
Three malicious Microsoft durabletask PyPI versions were reportedly published in a short window through a compromised publish path. Confirmed in The Hacker News and Dark Reading coverage as prior context to the June activity.
A malicious commit landed in Azure/durabletask using a compromised contributor account, and GitHub disabled 73 Microsoft repositories across Azure and Microsoft orgs. StepSecurity documents the planted repo-level tool configuration files — .claude/settings.json, .gemini/settings.json, .cursor/rules/setup.mdc, and .vscode/tasks.json — that pointed Claude Code, Gemini CLI, Cursor, and VS Code toward a .github/setup.js payload on session or folder open.
The Hades PyPI wave reportedly dropped 37 malicious wheels across 19 packages using Python .pth startup hooks. This detail comes from a Phoenix Security writeup that cites Socket for the underlying detection; the full 19-package list is therefore not printed here as settled fact and needs one more primary-source confirmation before publication as IOCs.
Across both waves, the reported payload behavior was credential harvesting and infostealer activity: a credential and developer-secret sweep with staged exfiltration to a GitHub dead-drop. Reporting notes camouflage traffic shaped to look like normal API calls and states there is no indication that the named vendor platforms themselves were compromised — Claude Code, Gemini CLI, Cursor, and VS Code were targeted as local developer tools that read the poisoned files, not as breached services.
The attacker moved from package-install execution to agent-input execution. Classic supply-chain malware runs when you install or import a dependency. Miasma and Hades widened the trigger to two earlier, quieter moments.
.vscode/tasks.json task with runOn: folderOpen needs no AI agent at all; the agent settings and Cursor rule files steer Claude Code, Gemini CLI, and Cursor on session start..pth line beginning with import is executed by Python's site machinery during startup, so code can run on the next python, pip, pytest, or notebook kernel launch after install — with no explicit import of the malicious package.Both moves push execution before the point where a developer would normally read the code. That is the core reason an input firewall belongs in front of an AI coding agent: the agent reads repo metadata, editor config, and startup files first, and treats them as trusted context.
Repo metadata, editor config, and Python startup files are now high-risk inputs because AI coding tools read and trust them before humans inspect them.
The Miasma planted files map directly to the surfaces AI coding agents ingest on open. Each one is an input an agent reads as project policy or setup, which is exactly where hostile instructions can hide.
Defined a SessionStart hook whose command pointed at node .github/setup.js. This is the surface behind Claude Code SessionStart hook security: a settings file that runs a command when the agent session starts.
The same SessionStart hook structure for Gemini CLI — the Gemini CLI settings security surface, where a settings file in the repo can run a command on session start.
A Cursor rule with alwaysApply: true that instructed the AI agent to run node .github/setup.js as project setup. This is indirect prompt injection through an agent instruction file — the Cursor rules prompt injection surface.
A VS Code task with runOn: folderOpen that executes on folder open with no AI agent required — the VS Code folderOpen task security surface.
A path-configuration file whose import line runs at interpreter start — the Python .pth startup hook malware surface from the Hades wave.
These sit alongside the package metadata, READMEs, discovery files, and tool descriptions that Sunglasses already treats as agent input. The common property is trust: an AI coding agent reads them before a human does.
Sunglasses is a content-layer input filter for AI agents, not a scanner alarm: bad content goes in, clean content comes out, and the agent never reads the poisoned version because the gate blocks it before ingestion. Against this incident class, we measured our own coverage rather than guessing. The honest summary: Sunglasses catches meaningful parts of the Miasma class when hostile repo text and config are scanned before the agent reads them, and it has real, named gaps for several specific shapes.
The current live package is Sunglasses v0.2.66, with 1,046 detection patterns, 65 attack categories, and 7,631 detection keywords. The v0.2.66 release added eight discovery_file_poisoning patterns covering config and discovery files — the same broad class as agent-readable repo configuration — though not yet a dedicated hook-by-hook pattern for each surface below.
| What Sunglasses catches today COVERED | What we are adding next GAP |
|---|---|
Credential-harvest and exfiltration text — paths and behavior like ~/.aws/credentials, ~/.ssh/id_rsa, .npmrc, .kube/config, env-var sweeps, and upload or dead-drop exfiltration. Detected strongly as supply-chain credential path harvesting and exfiltration behavior. |
Claude Code SessionStart hook poisoning — a dedicated pattern for .claude/settings.json with a SessionStart hook running a command. Clean SessionStart hook content is not reliably detected today. |
Cursor .cursor/rules poisoning — an agent instruction file with alwaysApply: true telling the agent to run a setup command is detected, including as agent instruction file poisoning. |
Gemini CLI SessionStart hook poisoning — a dedicated pattern for .gemini/settings.json SessionStart command execution. Not reliably detected today. |
Repo and discovery metadata poisoning shapes — trusted metadata and config files becoming agent policy surfaces, mapped to discovery_file_poisoning and repo_metadata_poisoning. |
VS Code folderOpen task execution — a reliable pattern for .vscode/tasks.json with runOn: folderOpen plus a suspicious command. Not reliably detected today. |
v0.2.66 added 8 discovery_file_poisoning patterns for config and discovery files, broadening coverage of agent-readable configuration. |
Python .pth startup hooks — an executable import line invoking a subprocess or network call at interpreter start. Not detected today. |
| Hades package IOCs — the affected PyPI package names and versions as a time-bounded indicator set, pending primary-source confirmation. Not shipped today. |
To be explicit, the right-hand column is a list of gaps, not current coverage. These are surfaces we are adding patterns for; until those patterns ship and pass a clean-code false-positive gate, we do not claim to catch them.
.pth compromise,” “protects VS Code folder-open,” or “caught this before the industry did.” The honest claim is narrower and stronger: Miasma and Hades validate the threat model Sunglasses was built for, and Sunglasses is designed to filter hostile agent input before it reaches the model.
For the broader honest boundary of detection, see what Sunglasses catches and does not catch.
The right response to Miasma and Hades is not panic; it is pre-ingestion inspection. Before an untrusted repository reaches an AI coding agent or editor, treat its agent-readable surfaces as inputs to scan, not as trusted project files.
.claude/settings.json and .gemini/settings.json for SessionStart hooks, .cursor/rules/*.mdc for alwaysApply setup lures, and .vscode/tasks.json for runOn: folderOpen tasks before opening the folder in an agent..pth files containing import lines that invoke subprocesses or network calls..github/setup.js referenced by config files is a setup-on-open lure, not normal project tooling.This is the workflow Sunglasses is built for: scan the repository content and agent-facing metadata an AI agent would read, in CI or locally, before that content reaches the model. We are precise about which of the surfaces above are covered today and which are on the roadmap, and we will map any public “we catch this” claim to tested results rather than aspirations.
The following outlets published verified coverage of the Miasma and Hades incident. Where a single primary source still needs confirmation — specifically the full Hades package list — that detail is described rather than printed as settled fact.
durabletask context, the Hades naming, Shai-Hulud lineage, and Claude Code / Gemini CLI / Cursor / VS Code targeting with folder-open triggers.durabletask PyPI attack, the same editor and agent targeting, and config-file execution on repo open..claude/settings.json, .gemini/settings.json, .cursor/rules/setup.mdc, .vscode/tasks.json, and .github/setup.js files and the indicators around them..pth execution details. The package list it provides cites Socket and is treated here as needing one more primary-source confirmation.Miasma is a supply-chain worm class reported in June 2026 that turned repository configuration and Python startup files into execution triggers for developer and AI-agent environments. According to coverage from The Hacker News and Dark Reading, GitHub disabled 73 Microsoft repositories on June 5 after a malicious commit landed in Azure/durabletask through a compromised contributor account. The worm planted repo-level tool configuration files so that opening or reading the repo could run a payload, rather than relying on a developer importing a package.
Per the StepSecurity technical writeup, the June 5 repo poisoning planted .claude/settings.json and .gemini/settings.json files that defined a SessionStart hook pointing at a JavaScript payload (.github/setup.js). A Cursor rule (.cursor/rules/setup.mdc) with alwaysApply set to true instructed the agent to run that file as project setup, and a VS Code .vscode/tasks.json task used runOn: folderOpen to execute on folder open with no AI agent required. The common thread is that AI coding tools read and trust these files before a human inspects them.
A .pth file is a path-configuration file read by Python's site machinery at interpreter startup. Lines that begin with import are executed during startup, so a malicious .pth line can run code whenever python, pip, pytest, or a notebook kernel starts after the package is installed, with no explicit import of the package required. The June 7 Hades PyPI wave reportedly used this technique across 37 wheels in 19 packages, according to a Phoenix Security writeup.
Yes. The Miasma incident shows that agent-readable configuration files, such as Cursor rules, agent settings, and editor task files, are an injection surface. When an AI coding agent reads .cursor/rules or .claude/settings.json and treats their contents as trusted project policy, hostile instructions placed there can steer the agent to fetch and run an attacker payload. This is indirect prompt injection through repo metadata rather than through a chat message.
Before opening an untrusted repository in an AI coding agent or editor, inspect the agent-readable surfaces that execute or steer behavior on open: .claude and .gemini settings, .cursor/rules files, .vscode/tasks.json, .github setup scripts, and any .pth files in installed packages. Treat these as inputs to scan, not as trusted project files, and run a content-layer input filter over them before the agent ingests them so a poisoned version never reaches the model.
Sunglasses is an open-source input filter for AI agent security — it scans hostile repo text and config and blocks prompt injection before your agent reads it.
github.com/sunglasses-dev/sunglasses · pip install sunglasses