{"id":51562932,"url":"https://github.com/cookiengineer/antimiasma","last_synced_at":"2026-07-10T12:01:47.237Z","repository":{"id":363422954,"uuid":"1262738920","full_name":"cookiengineer/antimiasma","owner":"cookiengineer","description":":rocket: Miasma Malware Discovery and Mitigation Tool","archived":false,"fork":false,"pushed_at":"2026-06-19T13:19:28.000Z","size":31,"stargazers_count":10,"open_issues_count":0,"forks_count":1,"subscribers_count":0,"default_branch":"master","last_synced_at":"2026-06-19T15:22:10.130Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/cookiengineer.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-06-08T09:19:52.000Z","updated_at":"2026-06-19T13:19:32.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/cookiengineer/antimiasma","commit_stats":null,"previous_names":["cookiengineer/antimiasma"],"tags_count":1,"template":false,"template_full_name":null,"purl":"pkg:github/cookiengineer/antimiasma","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cookiengineer%2Fantimiasma","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cookiengineer%2Fantimiasma/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cookiengineer%2Fantimiasma/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cookiengineer%2Fantimiasma/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/cookiengineer","download_url":"https://codeload.github.com/cookiengineer/antimiasma/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cookiengineer%2Fantimiasma/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":35330738,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-07-10T02:00:06.465Z","response_time":60,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2026-07-10T12:01:42.780Z","updated_at":"2026-07-10T12:01:47.222Z","avatar_url":"https://github.com/cookiengineer.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"\n# Antimiasma\n\nThis is a Discovery and Mitigation Tool for the Miasma malware or\nMiasma worm which is distributed by TeamPCP also known as APT28/29.\n\nDetailed Blogpost about the Miasma Malware:\n\nhttps://cookie.engineer/weblog/articles/malware-insights-miasma-campaign.html\n\n\n### Download\n\nIf you don't have `go` installed, ready-to-use downloads are available in the\n[Releases section](https://github.com/cookiengineer/antimiasma/releases/tag/latest)\non GitHub.\n\n\n### Usage\n\nThis shows how to:\n\n- discover infected repositories\n- mitigate infected repositories by removing the implants/tasks/scripts\n\n```bash\nantimiasma discover ~/Software; # shows a list of infected repositories\nantimiasma mitigate ~/Software; # removes the miasma worm in all infected repositories\n```\n\n\n### Testing\n\nA minimal Miasma implant sample is available at [miasma-sample](https://github.com/cookiengineer/miasma-sample).\nThat repository contains the spreading mechanisms and infiltrated files, but not the actual malware implant.\n\nIf you're unsure whether `antimiasma` works on your system, you can clone the `miasma-sample` repository safely\nto test the `antimiasma discover` and `antimiasma mitigate` actions against it.\n\n```bash\ngit clone https://github.com/cookiengineer/miasma-sample.git /tmp/miasma-sample;\n\n# shows the /tmp/miasma-sample repository as infected\nantimiasma discover /tmp;\n\n# mitigates the infected repository\nantimiasma mitigate /tmp;\n```\n\n\n### Implementation Status\n\nTake a look at the [utils/miasma](/source/utils/miasma) folder for implementation details.\n\nPS: If you have a malware sample of ongoing miasma campaigns that are not supported, PLEASE\ndon't hesitate to file an issue and send me the malware sample so that I can debug/reverse\nengineer it and add support for removal. Thank you!\n\n| Name          | Type            | Infected File              | Description                                          | Discover | Mitigate |\n|:--------------|:----------------|:---------------------------|:-----------------------------------------------------|:--------:|:--------:|\n| Claude Code   | IDE             | `.claude/settings.json`    | executes on Claude Code session start                | [x]      | [x]      |\n| Cursor        | IDE             | `.cursor/rules/setup.mdc`  | executes on open of folder/repo in Cursor            | [x]      | [x]      |\n| Gemini        | IDE             | `.gemini/settings.json`    | executes on Gemini session start                     | [x]      | [x]      |\n| VSCode        | IDE             | `.vscode/tasks.json`       | executes on open of folder/repo in VS Code           | [x]      | [x]      |\n| AUR           | AUR Packages    | `PKGBUILD` and `*.install` | executes on `prepare`, `build`, `install`, `package` | [x]      | [2]      |\n| Composer      | PHP Packages    | `composer.json`            | executes on `composer run` script                    | [x]      | [x]      |\n| Go            | Go Packages     | `go.mod`                   | executes on `go generate` and `go build`             | [NEED SAMPLE](https://github.com/cookiengineer/antimiasma/issues) | [NEED SAMPLE](https://github.com/cookiengineer/antimiasma/issues) |\n| NPM           | NPM Packages    | `package.json`             | executes on `npx` or `npm run` script                | [x]      | [x]      |\n| Pacman        | Pacman Packages | `install`                  | executes on `{pre,post}_{install,upgrade,remove}`    | [x]      | [2]      |\n| PIP           | PyPI Packages   | `*-setup.pth`              | executes on `pip install` of dependencies            | [x]      | [1]      |\n| Miasma Blight | Bun Implant     | `.github/setup.js`         | the Miasma \"Blight\" campaign worm implant            | [x]      | [x]      |\n| Miasma Hades  | Bun Implant     | `_index.js`                | the Miasma \"Hades\" campaign worm implant             | [x]      | [x]      |\n| Miasma Atomic | eBPF Implant    | `src/hook/deps`            | the Miasma \"Atomic Arch\" campaign worm implant       | [x]      | [x]      |\n\n[1] `pip install` commands use compressed `whl` files for distribution. The `*-setup.pth` cannot be detected.\n    Only after an infected package already ran the malware payload, the Miasma implant can be removed.\n\n[2] needs manual mitigation of already installed packages that were discovered in `/var/lib/pacman/local/*`.\n\n### Notes\n\nThis Mitigation Tool has been implemented with an abliterated `qwen3-coder:30b@Q8` running\ninside the [exocomp](https://github.com/cookiengineer/exocomp) Agentic Environment.\n\n\n### Acknowledgements\n\n- RedHat, for disclosing the breach very quickly and correctly\n- My cat, for emotional support during implementation\n- The Prodigy, for being the best music band of our time\n- Person of Interest and Michael Emerson, for the remnant inspiration for this with ICE9\n- TeamPCP, the assumed authors of Miasma, for making my weekend more fun\n\n\n### Reading Material\n\nMiasma Blight Campaign:\n\n- https://access.redhat.com/security/vulnerabilities/RHSB-2026-006\n- https://safedep.io/miasma-worm-ai-coding-agent-config-injection/\n\nMiasma Hades Campaign:\n\n- https://socket.dev/blog/shai-hulud-descends-to-hades-miasma-pypi-wave\n- https://socket.dev/blog/mini-shai-hulud-miasma-and-hades-worms-target-bioinformatics-and-mcp-developers-via-malicious\n- https://www.stepsecurity.io/blog/miasma-worm-hits-microsoft-again-azure-functions-action-and-72-other-repositories-disabled-after-supply-chain-attack-targeting-ai-coding-agents\n\nMiasma Atomic Campaign:\n\n- https://ioctl.fail/preliminary-analysis-of-aur-malware/\n- https://thecybersecguru.com/news/atomic-arch-aur-supply-chain-attack-ebpf-rootkit/\n- https://sha0coder.github.io/scales/\n\n\n### License\n\nAGPL-3.0\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcookiengineer%2Fantimiasma","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcookiengineer%2Fantimiasma","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcookiengineer%2Fantimiasma/lists"}