It’s In Your AI Assistant Now: Shai-Hulud Wave 3 and the Miasma Worm Targeting npm

What Happened

A new version of a malicious software worm called Miasma is spreading through popular software building blocks (npm packages). It affects software developers, particularly those using AI coding assistants like Claude, Cursor, and Gemini, by hiding malicious code inside their tool settings. This matters because the worm steals sensitive passwords and cloud access keys, and it is designed to survive standard cleanup methods. Organizations should immediately audit their developer tool configurations, rotate potentially exposed credentials, and implement runtime protection to stop the malware from executing.

Key Takeaways

• Miasma (Shai-Hulud Wave 3) bypasses lifecycle script monitoring by using a weaponized binding.gyp executed by node-gyp during native builds.
• The worm establishes deep persistence in AI coding assistant and IDE configuration files (e.g., .claude, .cursor, .vscode), surviving standard package removal.
• It forges trust by republishing compromised packages with valid Sigstore provenance attestations.
• The malware features a 48-hour dormancy period and actively checks for EDR/sandbox environments like CrowdStrike and SentinelOne.
• It targets a wide range of credentials across npm, GitHub, AWS, GCP, Azure, Vault, and Kubernetes.

Affected Systems

• npm ecosystem
• RubyGems
• GitHub Actions and self-hosted runners
• AI coding assistants (Claude, Cursor, Gemini)
• Visual Studio Code (VS Code)
• Docker environments

Attack Chain

The Miasma worm infiltrates developer environments via compromised npm packages, triggering execution during the native build step using a weaponized binding.gyp file. Once executed, it checks for EDRs and sandboxes, remaining dormant for 48 hours to evade detection. It then establishes persistence by injecting malicious hooks into AI assistant and IDE configuration files (e.g., .vscode, .claude). Finally, it steals credentials across multiple cloud and development platforms while self-replicating across npm, RubyGems, and GitHub using valid Sigstore attestations.

Detection Availability

• YARA Rules: No
• Sigma Rules: No
• Snort/Suricata Rules: No
• KQL Queries: No
• Splunk SPL Queries: No
• EQL Queries: No
• Other Detection Logic: No

The article does not provide specific detection rules but outlines behavioral indicators and persistence locations for hunting.

Detection Engineering Assessment

EDR Visibility: Medium — EDRs can detect credential access and anomalous child processes from node-gyp or IDEs, but the malware actively checks for major EDRs (CrowdStrike, SentinelOne, Carbon Black) and employs a 48-hour dormancy period to evade dynamic analysis. Network Visibility: Low — No specific C2 infrastructure or network patterns are detailed in the article, making network-based detection difficult without further IOCs. Detection Difficulty: Hard — The malware bypasses standard npm lifecycle script monitoring, uses valid Sigstore attestations, and hides persistence in obscure AI tooling configuration files.

Required Log Sources

• Process Creation (Event ID 4688 / Sysmon Event ID 1)
• File Creation/Modification (Sysmon Event ID 11)

Hunting Hypotheses

Control Gaps

• npm lifecycle script monitoring (preinstall/postinstall)
• Sigstore provenance validation (trusts forged attestations)
• Standard malware scanners (miss AI tooling directories)

Key Behavioral Indicators

• Execution of binding.gyp outside expected native module builds
• Modifications to .claude, .cursor, .gemini, or .vscode directories by node processes
• Presence of unexpected .github/setup.js files in repositories

False Positive Assessment

• Low

Recommendations

Immediate Mitigation

• Verify against your organization's incident response runbook and team escalation paths before acting.
• Audit developer environments for the presence of compromised packages like @vapi-ai/server-sdk, ai-sdk-ollama, and the jagreehal family.
• Rotate all potentially exposed credentials, including npm, GitHub, AWS, Azure, GCP, Vault, and Kubernetes tokens, if compromised packages are found.

Infrastructure Hardening

• Consider restricting Docker socket access to prevent container-escape-to-root privilege escalation.
• Evaluate the implementation of pre-execution runtime protection or Automated Moving Target Defense (AMTD) on developer endpoints and CI/CD hosts.

User Protection

• Audit AI assistant and IDE configuration directories (.claude, .cursor, .gemini, .vscode) for unauthorized hooks or MCP server entries.
• Assume that standard cleanup commands like npm uninstall or deleting node_modules are insufficient for removing persistence.

Security Awareness

• Educate developers that valid cryptographic provenance (like Sigstore) does not guarantee a package is free of malicious behavior.

MITRE ATT&CK Mapping

• T1195.002 - Supply Chain Compromise: Compromise Software Supply Chain
• T1059 - Command and Scripting Interpreter
• T1546 - Event Triggered Execution
• T1552 - Unsecured Credentials
• T1480 - Execution Guardrails
• T1554 - Compromise Client Software Binary

Additional IOCs

• File Paths:
  • .claude/settings.json - AI assistant configuration file modified to include a SessionStart hook for persistence.
  • .cursor/rules/setup.mdc - AI assistant configuration file modified for persistence.
  • .gemini/settings.json - AI assistant configuration file modified for persistence.
  • .vscode/tasks.json - IDE configuration file modified to execute the payload on folder-open.
  • .github/setup.js - Injected GitHub Action script used for persistence.
  • binding.gyp - Weaponized native build file used as the initial execution trigger by node-gyp.