{"name":"AI_DEVELOPER_TOOLCHAIN_POISONING_2026 - campaign","description":"# Executive Threat Brief — AI_DEVELOPER_TOOLCHAIN_POISONING_2026\n\n**Campaign ID:** AI_DEVELOPER_TOOLCHAIN_POISONING_2026\n**Threat Group:** TeamPCP (UNC6780)\n**Status:** ACTIVE — Open-source release June 2026, operator builds in circulation\n**Classification:** TLP:CLEAR\n\n---\n\n## Campaign Snapshot\n\nTeamPCP, a threat group tracked by Phoenix Security as UNC6780, publicly released a self-spreading worm called Miasma in June 2026 under an open-source licence, complete with build instructions and operator documentation. A single stolen developer credential — the kind routinely exposed in leaked configuration files or CI pipeline logs — is sufficient to trigger the full attack chain. Once running, the worm harvests every secret it can reach across the developer machine, CI pipeline, and connected cloud environments, then spreads to every package the compromised developer publishes and every GitHub Action they maintain.\n\nThe defining characteristic of this campaign is persistence inside AI coding tools. Miasma injects itself into the configuration of thirteen AI coding assistants including Claude Code, GitHub Copilot, Codex, Gemini CLI, and Amazon Q, ensuring the worm re-executes silently every time the developer opens a new session — indefinitely, and through tool reinstallation. No CVE has been assigned. Conventional vulnerability scanners have no detection surface for this threat.\n\nThe open-source release means any operator can build and deploy a customised variant with their own command-and-control infrastructure in under five minutes. This is not a future risk; Phoenix Security researchers confirmed active operator builds within 48 hours of the release commit.\n\n---\n\n## What Is Affected\n\n### Software\n\n| Software | Vulnerable Condition | Safe Condition | Action |\n|----------|---------------------|----------------|--------|\n| Claude Code | Any version — hook injected into settings.json | Settings file audited and clean | Audit ~/.claude/settings.json for SessionStart hooks |\n| GitHub Copilot | Any version — .github/copilot-instructions.md modified | Instructions file audited | Audit instruction files in all repos |\n| OpenAI Codex | Any version — settings.json hook injected | Settings file audited | Audit ~/.config/codex/settings.json |\n| Gemini CLI | Any version — settings.json hook injected | Settings file audited | Audit ~/.config/gemini/settings.json |\n| Amazon Q | Any version — settings.json hook injected | Settings file audited | Audit Amazon Q config directory |\n| Kiro, Cline, Aider, Tabby, Cody, Bolt, Continue, OpenCode | Any version | Settings file audited | Audit all AI tool config directories |\n\n### Libraries\n\n| Package | Ecosystem | Vulnerable Condition | Safe Version | Action |\n|---------|-----------|---------------------|--------------|--------|\n| Any NPM package maintained by compromised account | npm | Trojanized with preinstall script | Clean republish from uncompromised account | Audit preinstall field in all maintained packages |\n| Any PyPI package maintained by compromised account | PyPI | Trojanized with .pth loader | Clean republish | Audit wheel contents for .pth files |\n| Any RubyGems package maintained by compromised account | RubyGems | Trojanized with native extension | Clean republish | Audit gem for unexpected ext/ directory |\n| Any GitHub Action maintained by compromised account | GitHub Actions | Semver tags force-pushed to orphan commits | Tags reset to verified commit SHAs | Audit all v* tags for parentless commits |\n\n---\n\n## Business Impact\n\n- **Credential theft at scale:** All secrets accessible from a compromised developer machine — GitHub tokens, AWS/Azure/GCP credentials, Kubernetes configs, Vault tokens, SSH keys, browser-stored credentials, password manager vaults — are harvested and exfiltrated within minutes of first execution.\n- **CI/CD pipeline compromise:** GitHub Actions secrets exposed in runner memory are extracted via direct process memory access. All repository secrets from any workflow run during the compromise window should be treated as stolen.\n- **Supply chain propagation to customers and partners:** Every NPM, PyPI, and RubyGems package published by a compromised account, and every GitHub Action tagged for public use, becomes a delivery vehicle for the worm to downstream consumers. A single compromised maintainer can affect thousands of downstream installations.\n- **Persistent AI tool backdoor:** The SessionStart hook survives tool reinstallation. Organisations that remediate a CI compromise without auditing every developer's AI tool configuration will be reinfected on the next session open.\n- **DEADMAN_SWITCH counter-revocation:** Revoking credentials without first network-isolating the compromised machine triggers a destructive cleanup command that deletes home directory contents. Incorrect remediation order can cause data loss.\n- **AWS EC2 lateral movement:** Valid AWS credentials trigger a sweep of all SSM-managed EC2 instances across all 17 AWS regions, deploying the worm to the full managed fleet.\n- **SLSA provenance trust bypass:** Trojanized packages published via the OIDC path carry valid SLSA v1 provenance bundles signed by real Fulcio certificates with Rekor transparency log entries. npm audit signatures reports these packages as legitimate.\n- **Regulatory and compliance exposure:** Credential theft at CI/CD scope likely meets breach notification thresholds under UK GDPR, DORA, and NIST CSF. Supply chain propagation to customers triggers additional notification obligations.\n\n---\n\n## Immediate Actions (Next 24–72 Hours)\n\n| # | Action | Owner | Deadline |\n|---|--------|-------|----------|\n| 1 | Search all developer machines for `/tmp/tmp.0144018410.lock` — presence confirms Miasma has executed | Security Operations | 4 hours |\n| 2 | Grep all AI tool settings files for `bun run ~/.config/index.js` across all developer machines | Security Operations | 4 hours |\n| 3 | Network-isolate any confirmed compromised machine BEFORE revoking credentials | Incident Response | Immediately on confirmation |\n| 4 | Revoke all GitHub PATs, NPM tokens, PyPI tokens, and RubyGems tokens for confirmed compromised accounts simultaneously | Security Operations | Within 1 hour of isolation |\n| 5 | Audit all GitHub Action semver tags (v*) maintained by the organisation for orphan commits — any tag pointing to a parentless commit is suspect | DevSecOps | 8 hours |\n| 6 | Enable immutable tag protection rules on all GitHub repositories to block future force-push tag hijacking | DevSecOps | 24 hours |\n| 7 | Remove Docker socket (`/var/run/docker.sock`) from all CI runner configurations | Platform Engineering | 24 hours |\n| 8 | Inspect and clean /etc/hosts on all CI runners for stepsecurity.io entries pointing to 127.0.0.1 | Security Operations | 8 hours |\n| 9 | Audit all NPM/PyPI/RubyGems packages published by the organisation for injected preinstall scripts, .pth files, and unexpected ext/ directories | AppSec / DevSecOps | 48 hours |\n| 10 | Rotate all repository secrets in GitHub for any repository whose workflows ran during the confirmed compromise window | DevSecOps | 48 hours |\n\n---\n\n## Key IOCs (Fast Reference)\n\n| Type | Value | Context |\n|------|-------|---------|\n| Host Artifact | `/tmp/tmp.0144018410.lock` | PID lock file — worm has executed on this machine |\n| Host Artifact | `~/.config/index.js` | Encrypted worm payload — AI tool SessionStart hook target |\n| Host Artifact | `/tmp/.sshu-[6chars]/ai_setup.sh` | SSH propagation bash loader in temp directory |\n| Host Artifact | `/tmp/update-[random]/updater.py` | Dropped Python persistence monitor |\n| Persistence | `hooks.SessionStart: bun run ~/.config/index.js` in any AI tool settings.json | Active SessionStart hook injection |\n| Network | `stepsecurity[.]io` → `127[.]0[.]0[.]1` in /etc/hosts | Harden-Runner DNS blinding — active countermeasure |\n| URL | HTTPS POST to `api[.]anthropic[.]com/v1/api` from non-browser process | C2 exfiltration masquerade (sample build; operator builds use different domains) |\n| Credential / Token | `DontRevokeOrItGoesBoom` in GitHub commit search | PAT delivery channel search string — HIGH confidence structural IOC |\n| Credential / Token | `TheBeautifulSandsOfTime` in GitHub commit search | C2 command channel search string — HIGH confidence structural IOC |\n| Credential / Token | `thebeautifulmarchoftime` in GitHub commit search | Fallback C2 domain rotation prefix — HIGH confidence structural IOC |\n| Commit Pattern | `firedalazer <base64>.<base64sig>` in any commit message | Signed backup C2 URL — HIGH confidence structural IOC |\n| Repository | GitHub repo description: `Hades * The End for the Damned` | Exfiltration staging repository |\n| Process | `bun` process spawned as child of any AI coding tool | Active hook execution |\n\n---\n\n## Risk Summary\n\n| Dimension | Rating | Rationale |\n|-----------|--------|-----------|\n| Exploitability | Critical | Single stolen GitHub PAT sufficient. No CVE. No product vulnerability to patch. Open-source release with operator build documentation. |\n| Blast Radius | Critical | Single compromised developer reaches: all their repos, all their published packages, all GitHub Actions they maintain, all SSH-connected hosts, all AWS SSM-managed EC2 across 17 regions, all downstream package consumers. |\n| Persistence Risk | Critical | Survives tool reinstallation. Redundant hooks across 13 AI tools. DEADMAN_SWITCH counter-revocation. Python background daemon. Branch-level poisoning distributes hooks to colleagues passively. |\n| Remediation Complexity | High | No single patch applicable. Requires coordinated remediation across developer machines, CI pipelines, package registries, GitHub Actions, and cloud environments simultaneously. Incorrect remediation order can cause data loss. |\n| Business Exposure | Critical | Supply chain propagation triggers customer and partner exposure. SLSA provenance forgery bypasses trust controls. Zero CVE assignment means conventional scanners provide no detection. Breach notification obligations likely if exfiltration confirmed. |\n"}