Opening a repo in VS Code, Cursor, Claude Code, or Gemini CLI can fire an attacker’s shell command before you read a single line of code. No malicious dependency. No hidden install script. Just a config file that your editor, agent, or package manager reads and acts on automatically.
SafeDep’s Miasma worm analysis documents 121 affected repositories. One commit to icflorescu/mantine-datatable — unsigned, authored as github-actions, titled chore: update dependencies [skip ci] — added six files. Five exist solely to launch the sixth: a 4,348,254-byte dropper at .github/setup.js. That size stays above GitHub’s ~384 KB code-search index limit, so the launcher files, not the dropper, are what expose the repo to a search.
The dropper’s first bytes: a Caesar shift (shift of 4) over a character-code array feeding eval. Statically decoding it reveals a staged Bun loader that AES-decrypts a credential stealer. That stealer scans for AWS, Azure, GCP, Vault, Kubernetes, npm, and GitHub secrets, then exfiltrates them to attacker-controlled public GitHub repos.
The Seven Launcher Config Files
Five launchers come from that single commit. Two more, Composer and Bundler, appear in other repos across the same campaign. Each carries the same string: node .github/setup.js.
Claude Code and Gemini CLI use SessionStart hooks. Both agents run a shell command when a session opens. The two files are byte-identical: .claude/settings.json, .gemini/settings.json. Start an agent in the folder → dropper fires before you type a prompt.
Cursor has no shell hook, so the attacker used a project rule instructing the agent to run the file: .cursor/rules/setup.mdc. Prompt injection committed into the repo.
VS Code runs a task on folder open via .vscode/tasks.json. Opening the folder fires the task, subject to the workspace-trust prompt.
npm hijacks the test script. The commit appended one line to scripts in package.json. Running tests is something developers and CI do without thinking.
Composer (PHP) uses a post-install-cmd hook in composer.json. Runs on every composer install. The commit is also backdated to 2017-03-08 with [skip ci], hiding in dormant history.
Bundler (Ruby) places a top-level system() call on line one of the Gemfile. Evaluated top to bottom every time Bundler loads it — no malicious gem needed.
Trust Prompts Won’t Save You
The editor vectors don’t bypass trust prompts. VS Code opens unfamiliar folders in Restricted Mode; Claude Code and Gemini CLI show a one-time prompt. The attacker bets you’ll click through. Developers do it every day. The attack doesn’t defeat the mechanism — it exploits the habit.
SafeDep’s deobfuscation writeup shows this obfuscation shape keeps recompiling across separate Miasma waves and unrelated malicious package campaigns. The rotation amount and encryption keys change between builds, but the harness stays the same. The payload varies. The seven config files don’t carry the payload — they each hand node .github/setup.js to your own trusted tools.
Until every IDE and agent vendor treats config-file execution as a supply-chain primitive requiring cryptographic verification, this blindspot will keep getting exploited. The next Miasma won’t look like the last one, but it will start with a config file nobody reviews.
Source: Config Files That Run Code: Supply Chain Security Blindspot
Domain: safedep.io
Comments load interactively on the live page.