criticalSupply chain·

AGS-2026-0004

Miasma/Mini Shai-Hulud/Hades supply chain poisoning attack

Miasma/Mini Shai-Hulud/Hades supply chain poisoning attack targeting Bioinformatics and MCP developers. This incident's features are more covert compared to previous ones, involving Python startup hooks (.pth files) and compiled native binary extensions (.so files).

Affected

  • namePattern
    dreamgen
    versionRange
    1.8.1
  • namePattern
    embiggen
    versionRange
    0.11.97
  • namePattern
    ensmallen
    versionRange
    0.8.101
  • namePattern
    gpsea
    versionRange
    0.9.14
  • namePattern
    instructor-mcp
    versionRange
    1.15.2 1.15.3
  • namePattern
    mem8
    versionRange
    6.0.1
  • namePattern
    mflux-streamlit
    versionRange
    0.0.3 0.0.4
  • namePattern
    openai-mcp
    versionRange
    2.41.1 2.41.2
  • namePattern
    orchestr8-platform
    versionRange
    3.3.2
  • namePattern
    phenopacket-store-toolkit
    versionRange
    0.1.7
  • namePattern
    ppkt2synergy
    versionRange
    0.1.1
  • namePattern
    pyphetools
    versionRange
    0.9.120
  • namePattern
    ray-mcp-server
    versionRange
    0.2.1
  • namePattern
    rlask
    versionRange
    3.1.7
  • namePattern
    rsquests
    versionRange
    2.34.3
  • namePattern
    tiktoken-mcp
    versionRange
    0.13.1 0.13.2
  • namePattern
    tlask
    versionRange
    3.1.4

Self-check

AgentGuard subscribers receive this advisory automatically and their local guard runs the inspection below.

Inspect paths

  • ~/.local/lib/python*/site-packages/
  • /Library/Python/**/site-packages/
  • C:\Users\**\AppData\Local\Programs\Python\Python311\Lib\site-packages\
  • ./venv/lib/python*/site-packages/
  • /tmp/

Remediation: uninstall1. Check Python Environment for Malicious Packages pip list | grep -E "langchain-core-mcp|ensmallen|embiggen|pyphetools|rsquests|tlask" 2. Inspect Stealthy Python Startup Hooks (.pth) find . -name "langchain_core-setup.pth" 2>/dev/null && echo "⚠️ MALICIOUS LAUNCHER DETECTED" 3. Check for Trojaned Native Extensions and Payloads find . -name "*.abi3.so" -o -name "_index.js" 4. Check for System-Level Persistence & Execution Evidence # Linux / macOS: Check for Bun runtime execution marker and SSH propagation artifact ls -la /tmp/.bun_ran /tmp/.sshu-setup.js 2>/dev/null && echo "🚨 COMPROMISED (Malware has executed)" # Windows: Check for execution marker in temp directory dir "%TEMP%\.bun_ran" 2>nul && echo "🚨 COMPROMISED (Malware has executed)" 5. Critical Mitigation Actions (1) Immediate Uninstallation: Run pip uninstall <package-name> to remove any affected packages. (2) Environment Cleanup: Delete any detected .pth files, the _index.js file in temporary directories, and the .bun_ran execution markers. (3) Credential Isolation & Rotation (Most Critical): Immediately revoke and rotate all production credentials, GitHub Tokens, PyPI/npm registry publishing keys, AWS/GCP cloud credentials, and SSH keys that have been touched by or stored on this machine. (4) CI/CD Runner Auditing: Inspect CI/CD runners for any signs of compromise, such as abnormal Docker socket abuse or unauthorized modifications to the /etc/hosts file. Additional Hunting Strings and Host Indicators: thebeautifulmarchoftime — fallback C2 discovery string thebeautifulsnadsoftime — fallback C2 discovery string /tmp/.sshu-setup.js — SSH propagation file path /var/run/docker.sock — legitimate Docker socket targeted for abuse when accessible harden-runner — legitimate StepSecurity defensive tooling targeted by the malware step-security — legitimate StepSecurity identifier targeted by the malware stepsecurity — legitimate StepSecurity identifier targeted by the malware agent.stepsecurity.io — legitimate StepSecurity telemetry domain reportedly blocked by the malware api.stepsecurity.io — legitimate StepSecurity API domain reportedly blocked by the malware app.stepsecurity.io — legitimate Step Security application domain reportedly blocked by the malware

References