Miasma/Mini Shai-Hulud/Hades supply chain poisoning attack targeting Bioinformatics and MCP developers. This incident's features are more covert compared to previous ones, involving Python startup hooks (.pth files) and compiled native binary extensions (.so files).
AGS-2026-0004
Miasma/Mini Shai-Hulud/Hades supply chain poisoning attack
Affected
- namePattern
- dreamgen
- versionRange
- 1.8.1
- namePattern
- embiggen
- versionRange
- 0.11.97
- namePattern
- ensmallen
- versionRange
- 0.8.101
- namePattern
- gpsea
- versionRange
- 0.9.14
- namePattern
- instructor-mcp
- versionRange
- 1.15.2 1.15.3
- namePattern
- mem8
- versionRange
- 6.0.1
- namePattern
- mflux-streamlit
- versionRange
- 0.0.3 0.0.4
- namePattern
- openai-mcp
- versionRange
- 2.41.1 2.41.2
- namePattern
- orchestr8-platform
- versionRange
- 3.3.2
- namePattern
- phenopacket-store-toolkit
- versionRange
- 0.1.7
- namePattern
- ppkt2synergy
- versionRange
- 0.1.1
- namePattern
- pyphetools
- versionRange
- 0.9.120
- namePattern
- ray-mcp-server
- versionRange
- 0.2.1
- namePattern
- rlask
- versionRange
- 3.1.7
- namePattern
- rsquests
- versionRange
- 2.34.3
- namePattern
- tiktoken-mcp
- versionRange
- 0.13.1 0.13.2
- namePattern
- tlask
- versionRange
- 3.1.4
Self-check
AgentGuard subscribers receive this advisory automatically and their local guard runs the inspection below.
Inspect paths
~/.local/lib/python*/site-packages//Library/Python/**/site-packages/C:\Users\**\AppData\Local\Programs\Python\Python311\Lib\site-packages\./venv/lib/python*/site-packages//tmp/
Remediation: uninstall— 1. Check Python Environment for Malicious Packages
pip list | grep -E "langchain-core-mcp|ensmallen|embiggen|pyphetools|rsquests|tlask"
2. Inspect Stealthy Python Startup Hooks (.pth)
find . -name "langchain_core-setup.pth" 2>/dev/null && echo "⚠️ MALICIOUS LAUNCHER DETECTED"
3. Check for Trojaned Native Extensions and Payloads
find . -name "*.abi3.so" -o -name "_index.js"
4. Check for System-Level Persistence & Execution Evidence
# Linux / macOS: Check for Bun runtime execution marker and SSH propagation artifact
ls -la /tmp/.bun_ran /tmp/.sshu-setup.js 2>/dev/null && echo "🚨 COMPROMISED (Malware has executed)"
# Windows: Check for execution marker in temp directory
dir "%TEMP%\.bun_ran" 2>nul && echo "🚨 COMPROMISED (Malware has executed)"
5. Critical Mitigation Actions
(1) Immediate Uninstallation: Run pip uninstall <package-name> to remove any affected packages.
(2) Environment Cleanup: Delete any detected .pth files, the _index.js file in temporary directories, and the .bun_ran execution markers.
(3) Credential Isolation & Rotation (Most Critical): Immediately revoke and rotate all production credentials, GitHub Tokens, PyPI/npm registry publishing keys, AWS/GCP cloud credentials, and SSH keys that have been touched by or stored on this machine.
(4) CI/CD Runner Auditing: Inspect CI/CD runners for any signs of compromise, such as abnormal Docker socket abuse or unauthorized modifications to the /etc/hosts file.
Additional Hunting Strings and Host Indicators:
thebeautifulmarchoftime — fallback C2 discovery string
thebeautifulsnadsoftime — fallback C2 discovery string
/tmp/.sshu-setup.js — SSH propagation file path
/var/run/docker.sock — legitimate Docker socket targeted for abuse when accessible
harden-runner — legitimate StepSecurity defensive tooling targeted by the malware
step-security — legitimate StepSecurity identifier targeted by the malware
stepsecurity — legitimate StepSecurity identifier targeted by the malware
agent.stepsecurity.io — legitimate StepSecurity telemetry domain reportedly blocked by the malware
api.stepsecurity.io — legitimate StepSecurity API domain reportedly blocked by the malware
app.stepsecurity.io — legitimate Step Security application domain reportedly blocked by the malware