It’s In Your AI Assistant Now: Shai-Hulud Wave 3 and the Miasma Worm Targeting npm

Back in September 2025, we published “The NPM Worm That No One’s Talking About—But Everyone Should Be.” In February 2026, we followed it with “Can We Talk About This Now? Shai-Hulud Wave 2 Targeting npm.”

Both times, the message was the same: this isn’t a one-off incident, it’s a category of attack that gets faster, stealthier, and more destructive with every iteration. And both times, the response from the broader industry was to patch the specific symptom and move on.

So here we are again. Wave 3 has arrived, this time under the name Miasma, and it is purpose-built to defeat the exact defenses the industry put in place after Waves 1 and 2.

Wave 1 → Wave 2 → Wave 3: What’s Changed

The pattern is unmistakable. Every wave studies the industry’s response to the last one and engineers around it.

What We Warned About and Why It Keeps Coming True

In 2025 we flagged five things about Shai-Hulud: autonomous self-replication, credential theft as a long-term liability, the weaponization of open-source trust, CI/CD hijacking, and a dangerous lack of attention. Wave 3 doesn’t just repeat those, it weaponizes the defenses built in response to them.

• It bypasses the control everyone added. After the first two waves, the standard advice was to monitor or disable preinstall and postinstall lifecycle scripts. Miasma doesn’t use them. It ships a malicious binding.gyp, and npm automatically hands that file to node-gyp during the native build step on npm install, triggering attacker code without ever touching the lifecycle scripts security teams are now watching. The monitoring you deployed last quarter doesn’t see this.
• It turns provenance into camouflage. The industry’s answer to package tampering has been cryptographic provenance. Miasma republishes compromised packages carrying valid Sigstore attestations, so the very signal meant to prove authenticity now vouches for the malware. Trust-by-attestation, on its own, has been turned against the people relying on it.
• It hides where your scanners don’t look – including inside your AI tooling. This is the part that should stop every security and platform leader cold. Miasma injects persistent backdoors into developer tooling directories – .claude/settings.json with a SessionStart hook, .cursor/rules/setup.mdc, .gemini/settings.json, .vscode/tasks.json set to run on folder-open, plus .github/setup.js and malicious MCP servers. These files re-execute the payload every time a developer opens the project in their AI-assisted IDE. They live in paths most malware scanners never inspect, and they survive npm uninstall and a full node_modules wipe. The same AI tools accelerating your development pipeline are now an attacker’s persistence mechanism.
• It’s a toolkit, not an actor. The crews behind this lineage have open-sourced their tradecraft. That means copycats, faster iteration, and harder attribution. We are no longer tracking a single group we’re tracking a reusable supply-chain weapon platform.

Why Supply Chains Remain the Prime Target

Nothing about the underlying economics has changed, which is why this keeps escalating. Open-source ecosystems run on implicit trust, and compromising one popular package ripples across thousands of downstream projects, build systems, and customers. What’s evolved is the attacker’s ambition: Wave 1 stole credentials, Wave 2 added destruction and self-replication, and Wave 3 adds install-time evasion, provenance forgery, and persistence that outlives conventional cleanup.

Each wave reduces the time between “compromise published” and “credentials exfiltrated across your entire cloud footprint.” Two hours, in the case of June 3.

What Organizations Must Do Now

A prevention-first, defense-in-depth posture is the only thing that keeps pace with this. Concretely:

• Audit AI assistant and IDE configs. Review .claude/, .cursor/, .gemini/, and .vscode/ directories plus .github/ workflows for unexpected setup scripts, hooks, and MCP server entries. Assume npm uninstall is not cleanup.
• Scan for the affected packages and versions. Confirm whether @vapi-ai/server-sdk, ai-sdk-ollama, the jagreehal family, or related packages entered your environment during the compromise windows, and identify the exact PRs, repos, and machines affected.
• Rotate everything the payload reaches. npm and GitHub tokens, and AWS, Azure, GCP, Vault, and Kubernetes credentials. Treat any secret on an exposed host as burned.
• Stop treating provenance as proof. A valid attestation no longer guarantees a clean package. Layer behavior-independent runtime defenses underneath it.
• Deploy pre-execution runtime protection. This is the layer that matters most against an obfuscated, sandbox-aware, detection-evading payload. Use runtime protection like Morphisec’s Automated Moving Target Defense (AMTD) to stop the payload when it tries to execute on developer endpoints and on the Linux and CI hosts where it’s designed to slip past detection.
• Restrict Docker privileges and audit for persistence. Lock down access to the Docker socket to cut off the container-escape-to-root path, and hunt for injected workflows and self-hosted runner abuse.

Where Morphisec Fits

Detection-based tools are exactly what Miasma is built to evade: the payload is obfuscated, it sits dormant for 48 hours, it checks for endpoint protection before it fires, and it leaves no lifecycle-script fingerprint in package.json. Signatures and behavioral monitoring are, by design, a step behind it.

AMTD doesn’t need to recognize the variant. It morphs the runtime memory environment so that when the stealer attempts to execute, it can’t reliably locate its targets and the attack is stopped deterministically, before exfiltration, regardless of whether anyone has ever seen this payload before. That’s the difference between probabilistic detection and preemptive prevention, and it’s precisely the gap the binding.gyp bypass opens up.

It’s a complementary, last-line layer: package-scanning tools try to catch the bad version going in; AMTD stops the payload when it runs anyway. Paired with Advanced Deception and Adaptive Exposure Management, it closes the runtime gap across Windows endpoints, macOS, and the Linux servers and build hosts where these worms increasingly land.

Final Thoughts: We Don’t Want to Be Right a Fourth Time

We said it in September. We said it again in February. Supply-chain attacks are getting faster, stealthier, and more destructive and detection-and-response alone will always be a beat behind. Miasma proves it by hiding inside the developer tooling and the AI assistants we now rely on every day, and by turning the industry’s own controls into cover.

The question isn’t whether there will be a Wave 4. It’s whether your defenses are built to stop a payload no one has seen yet, before it executes.

Let’s secure your supply chain. Book a personalized demo to see Morphisec in action.

About the author

Brad LaPorte | New York

Chief Marketing Officer

Brad LaPorte is a seasoned cybersecurity expert and former military officer specializing in cybersecurity and military intelligence for the United States military and allied forces. With a distinguished career at Gartner as a top-rated research analyst, Brad was instrumental in establishing key industry categories such as Attack Surface Management (ASM), Extended Detection & Response (XDR), Digital Risk Protection (DRP), and the foundational elements of Continuous Threat Exposure Management (CTEM). His forward-thinking approach led to the inception of Secureworks’ MDR service and the EDR product Red Cloak—industry firsts. At IBM, he spearheaded the creation of the Endpoint Security Portfolio, as well as MDR, Vulnerability Management, Threat Intelligence, and Managed SIEM offerings, further solidifying his reputation as a visionary in cybersecurity solutions years ahead of its time. He is based in Morphisec’s New York office at 122 Grand St, New York, NY.