https://github.com/cookiengineer/antimiasma
:rocket: Miasma Malware Discovery and Mitigation Tool
https://github.com/cookiengineer/antimiasma
Last synced: 4 days ago
JSON representation
:rocket: Miasma Malware Discovery and Mitigation Tool
- Host: GitHub
- URL: https://github.com/cookiengineer/antimiasma
- Owner: cookiengineer
- Created: 2026-06-08T09:19:52.000Z (about 1 month ago)
- Default Branch: master
- Last Pushed: 2026-06-19T13:19:28.000Z (25 days ago)
- Last Synced: 2026-06-19T15:22:10.130Z (24 days ago)
- Language: Go
- Size: 30.3 KB
- Stars: 10
- Watchers: 0
- Forks: 1
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
README
# Antimiasma
This is a Discovery and Mitigation Tool for the Miasma malware or
Miasma worm which is distributed by TeamPCP also known as APT28/29.
Detailed Blogpost about the Miasma Malware:
https://cookie.engineer/weblog/articles/malware-insights-miasma-campaign.html
### Download
If you don't have `go` installed, ready-to-use downloads are available in the
[Releases section](https://github.com/cookiengineer/antimiasma/releases/tag/latest)
on GitHub.
### Usage
This shows how to:
- discover infected repositories
- mitigate infected repositories by removing the implants/tasks/scripts
```bash
antimiasma discover ~/Software; # shows a list of infected repositories
antimiasma mitigate ~/Software; # removes the miasma worm in all infected repositories
```
### Testing
A minimal Miasma implant sample is available at [miasma-sample](https://github.com/cookiengineer/miasma-sample).
That repository contains the spreading mechanisms and infiltrated files, but not the actual malware implant.
If you're unsure whether `antimiasma` works on your system, you can clone the `miasma-sample` repository safely
to test the `antimiasma discover` and `antimiasma mitigate` actions against it.
```bash
git clone https://github.com/cookiengineer/miasma-sample.git /tmp/miasma-sample;
# shows the /tmp/miasma-sample repository as infected
antimiasma discover /tmp;
# mitigates the infected repository
antimiasma mitigate /tmp;
```
### Implementation Status
Take a look at the [utils/miasma](/source/utils/miasma) folder for implementation details.
PS: If you have a malware sample of ongoing miasma campaigns that are not supported, PLEASE
don't hesitate to file an issue and send me the malware sample so that I can debug/reverse
engineer it and add support for removal. Thank you!
| Name | Type | Infected File | Description | Discover | Mitigate |
|:--------------|:----------------|:---------------------------|:-----------------------------------------------------|:--------:|:--------:|
| Claude Code | IDE | `.claude/settings.json` | executes on Claude Code session start | [x] | [x] |
| Cursor | IDE | `.cursor/rules/setup.mdc` | executes on open of folder/repo in Cursor | [x] | [x] |
| Gemini | IDE | `.gemini/settings.json` | executes on Gemini session start | [x] | [x] |
| VSCode | IDE | `.vscode/tasks.json` | executes on open of folder/repo in VS Code | [x] | [x] |
| AUR | AUR Packages | `PKGBUILD` and `*.install` | executes on `prepare`, `build`, `install`, `package` | [x] | [2] |
| Composer | PHP Packages | `composer.json` | executes on `composer run` script | [x] | [x] |
| Go | Go Packages | `go.mod` | executes on `go generate` and `go build` | [NEED SAMPLE](https://github.com/cookiengineer/antimiasma/issues) | [NEED SAMPLE](https://github.com/cookiengineer/antimiasma/issues) |
| NPM | NPM Packages | `package.json` | executes on `npx` or `npm run` script | [x] | [x] |
| Pacman | Pacman Packages | `install` | executes on `{pre,post}_{install,upgrade,remove}` | [x] | [2] |
| PIP | PyPI Packages | `*-setup.pth` | executes on `pip install` of dependencies | [x] | [1] |
| Miasma Blight | Bun Implant | `.github/setup.js` | the Miasma "Blight" campaign worm implant | [x] | [x] |
| Miasma Hades | Bun Implant | `_index.js` | the Miasma "Hades" campaign worm implant | [x] | [x] |
| Miasma Atomic | eBPF Implant | `src/hook/deps` | the Miasma "Atomic Arch" campaign worm implant | [x] | [x] |
[1] `pip install` commands use compressed `whl` files for distribution. The `*-setup.pth` cannot be detected.
Only after an infected package already ran the malware payload, the Miasma implant can be removed.
[2] needs manual mitigation of already installed packages that were discovered in `/var/lib/pacman/local/*`.
### Notes
This Mitigation Tool has been implemented with an abliterated `qwen3-coder:30b@Q8` running
inside the [exocomp](https://github.com/cookiengineer/exocomp) Agentic Environment.
### Acknowledgements
- RedHat, for disclosing the breach very quickly and correctly
- My cat, for emotional support during implementation
- The Prodigy, for being the best music band of our time
- Person of Interest and Michael Emerson, for the remnant inspiration for this with ICE9
- TeamPCP, the assumed authors of Miasma, for making my weekend more fun
### Reading Material
Miasma Blight Campaign:
- https://access.redhat.com/security/vulnerabilities/RHSB-2026-006
- https://safedep.io/miasma-worm-ai-coding-agent-config-injection/
Miasma Hades Campaign:
- https://socket.dev/blog/shai-hulud-descends-to-hades-miasma-pypi-wave
- https://socket.dev/blog/mini-shai-hulud-miasma-and-hades-worms-target-bioinformatics-and-mcp-developers-via-malicious
- https://www.stepsecurity.io/blog/miasma-worm-hits-microsoft-again-azure-functions-action-and-72-other-repositories-disabled-after-supply-chain-attack-targeting-ai-coding-agents
Miasma Atomic Campaign:
- https://ioctl.fail/preliminary-analysis-of-aur-malware/
- https://thecybersecguru.com/news/atomic-arch-aur-supply-chain-attack-ebpf-rootkit/
- https://sha0coder.github.io/scales/
### License
AGPL-3.0