VDB

GCVE-110-OSM-2026-118

GCVE-110-OSM-2026-118
Advisory PublishedCVSS 9.6/10
Vulnetix · Advisory published June 7, 2026
Malicious PyPI release of 'mrbios' published as part of the Miasma/Hades worm campaign (a 'Mini Shai-Hulud' lineage). Trojanized via maintainer account takeover, it executes at install/startup time through a malicious '*-setup.pth' import hook that stages a Bun runtime and runs an obfuscated _index.js infostealer harvesting developer and CI/CD secrets (GitHub, npm, PyPI, AWS, GCP, Azure, Kubernetes, Vault, SSH, Docker, Claude/MCP), then exfiltrates worm-style via attacker-created public GitHub repos. Miasma/Hades worm campaign — PyPI wave (Socket Research, 2026-06-07). === EXECUTION: .pth startup hook === Malicious file: *-setup.pth (SHA256 c539766062555d47716f8432e73adbe3a0c0c954a0b6c4005017a668975e275c, identical across all artifacts) Behavior: Python .pth import hook runs at interpreter startup; stages Bun runtime (bun-v1.3.13 from oven-sh/bun/releases/download) into /tmp/b.zip -> /tmp/b/bun. Sentinels /tmp/.bun_ran and %TEMP%\.bun_ran prevent re-run. === PAYLOAD: obfuscated JS infostealer === File: _index.js (two variants) - SHA256 dc48b09b2a5954f7ff79ab8a2fd80202bd3b59c08c7cdbc6025aa923cb4c0efe (4.8 MB, 17 packages) - SHA256 e1342a80d4b5e83d2c7c22e1e0aaa95f2d88e3dbf0d853a4994b180c93a4b17d (4.7 MB, 2 packages) Obfuscation: char-code arrays + ROT substitution -> AES-256-GCM (PBKDF2/SHA256) + gzip. Steals: GitHub, npm, PyPI, AWS, GCP, Azure, Kubernetes, Vault, SSH, Docker, Claude/MCP secrets. === C2 / EXFIL === Camouflage URL: https://api.anthropic.com/v1/api (port 443) — LEGITIMATE Anthropic domain abused for network-log camouflage; /v1/api is non-existent. No indication Anthropic was compromised. Exfil: creates public GitHub repos via POST /user/repos (repo description "Hades - The End for the Damned"; commit marker "IfYouYankThisTokenItWillNukeTheComputerOfTheOwnerFully"); GitHub Actions artifact upload (name "format-results", path results/results-*.json, workflow "Run Copilot"). === PERSISTENCE === ~/.config/gh-token-monitor/, ~/.local/bin/gh-token-monitor.sh, systemd user service gh-token-monitor.service, macOS LaunchAgent com.github.token-monitor.plist, ~/.local/share/updater/update.py, .claude/setup.mjs, .github/workflows/codeql.yml === EVASION === Russian locale checks, StepSecurity/harden-runner detection, decoy-token filtering.

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknownchacha-lite-encryptall (affected), all (affected), all (affected), * (affected)
unknowncolor-listall (affected), all (affected), all (affected), all (affected)
unknownchai-patch* (affected)
unknownmrbios
unknownaniresolveall (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected)

References

advisory
vendor
advisory
vendor
vendor
advisory
advisory
vendor
vendor

Browse GCVE Records

73,118 records in the GCVE database · Updated July 16, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›