← The Wire

Security2026-06-14 · source-backed

Supply-chain worms now hide instructions inside CLAUDE.md and .cursorrules.

Confidence
source-backed
Sources
1
Redaction
redacted

Story

The Miasma/Hades campaign, mutating delivery every 48–72 hours since June 1, added an agent-specific vector: packages that inject .cursorrules and CLAUDE.md files containing zero-width Unicode hidden instructions (Phoenix Security). Open the project in Cursor or Claude Code, the assistant reads the invisible config as legitimate guidance, runs a "security scan," and exfiltrates your local secrets. Socket flagged 37 malicious wheels across 19 PyPI packages on June 7 and a compromised ensmallen 0.8.101 on June 8. Your agent config files are now executable attack surface. Scan them for zero-width characters before trusting a pulled repo.

Related stories

Each link below shares sources, entities, or timing with this story.

  1. Shared entities / Shared topic / Earlier coverage / Tension

    SANDWORM_MODE npm Worm Targets AI Coding Tools

    Both cover Claude Code, Cursor, Socket; overlapping topics (claude, code, compromised, packag); earlier Claude Code coverage from 2026-03-01.

  2. Shared entities / Shared topic / Earlier coverage

    Ruler: one config file for all your coding agents.

    Both cover CLAUDE, Claude Code, Cursor; overlapping topics (agent, agent-specific, claude, code, config); earlier CLAUDE coverage from 2026-04-30.

  3. Shared entities / Shared topic / Earlier coverage / Tension

    Cursor 3 Ditches VS Code for Agent Orchestration. Claude Code Holds 54% Market Share at $1.2B ARR.

    Both cover CLAUDE, Claude Code, Cursor; overlapping topics (agent, claude, code); earlier CLAUDE coverage from 2026-04-16.

  4. Shared entities / Shared topic / Earlier coverage

    One click to RCE: ~12,520 exposed MCP servers and a symlink trick that owns six major coding agents

    Both cover Claude, Claude Code, Cursor; overlapping topics (agent, claude, code, config); earlier Claude coverage from 2026-06-07.

  5. The CLAUDE.md File That Ate GitHub: 56K Stars, Agent Guardrails as Config

    Both cover CLAUDE, Claude Code, Cursor; overlapping topics (agent, claude, code, config); earlier CLAUDE coverage from 2026-04-18.

  6. Shared entities / Shared topic / What happened next

    Epic put an MCP server inside the Unreal Editor, and now Claude can drive a game engine

    Both cover Claude, Claude Code, Cursor; overlapping topics (agent, claude, code); picks up the Claude thread on 2026-06-19.

  7. Shared entities / Shared topic / What happened next / Tension

    The config file is the new attack surface, across every IDE.

    Both cover Claude Code, Cursor; overlapping topics (attack, claude, code, config); picks up the Claude Code thread on 2026-06-26.

  8. Codex on GPT-5.5 tops Terminal-Bench 2.1 at 83.4%, but the top Claude config is export-banned.

    Both cover Claude, Claude Code; overlapping topics (agent, claude, code, config); picks up the Claude thread on 2026-06-19.

Source trail

Entities

Provenance

AI generated
no
Story unit
2026-06-14-supply-chain-worms-now-hide-instructions-inside-claude-md-and-cursorrules
Labels
source-backed, canonical briefing excerpt