Security2026-06-14 · source-backed
Supply-chain worms now hide instructions inside CLAUDE.md and .cursorrules.
Story
The Miasma/Hades campaign, mutating delivery every 48–72 hours since June 1, added an agent-specific vector: packages that inject .cursorrules and CLAUDE.md files containing zero-width Unicode hidden instructions (Phoenix Security). Open the project in Cursor or Claude Code, the assistant reads the invisible config as legitimate guidance, runs a "security scan," and exfiltrates your local secrets. Socket flagged 37 malicious wheels across 19 PyPI packages on June 7 and a compromised ensmallen 0.8.101 on June 8. Your agent config files are now executable attack surface. Scan them for zero-width characters before trusting a pulled repo.
Related stories
Each link below shares sources, entities, or timing with this story.
Shared entities / Shared topic / Earlier coverage / Tension
SANDWORM_MODE npm Worm Targets AI Coding Tools
Both cover Claude Code, Cursor, Socket; overlapping topics (claude, code, compromised, packag); earlier Claude Code coverage from 2026-03-01.
Shared entities / Shared topic / Earlier coverage
Ruler: one config file for all your coding agents.
Both cover CLAUDE, Claude Code, Cursor; overlapping topics (agent, agent-specific, claude, code, config); earlier CLAUDE coverage from 2026-04-30.
Shared entities / Shared topic / Earlier coverage / Tension
Cursor 3 Ditches VS Code for Agent Orchestration. Claude Code Holds 54% Market Share at $1.2B ARR.
Both cover CLAUDE, Claude Code, Cursor; overlapping topics (agent, claude, code); earlier CLAUDE coverage from 2026-04-16.
Shared entities / Shared topic / Earlier coverage
One click to RCE: ~12,520 exposed MCP servers and a symlink trick that owns six major coding agents
Both cover Claude, Claude Code, Cursor; overlapping topics (agent, claude, code, config); earlier Claude coverage from 2026-06-07.
The CLAUDE.md File That Ate GitHub: 56K Stars, Agent Guardrails as Config
Both cover CLAUDE, Claude Code, Cursor; overlapping topics (agent, claude, code, config); earlier CLAUDE coverage from 2026-04-18.
Shared entities / Shared topic / What happened next
Epic put an MCP server inside the Unreal Editor, and now Claude can drive a game engine
Both cover Claude, Claude Code, Cursor; overlapping topics (agent, claude, code); picks up the Claude thread on 2026-06-19.
Shared entities / Shared topic / What happened next / Tension
The config file is the new attack surface, across every IDE.
Both cover Claude Code, Cursor; overlapping topics (attack, claude, code, config); picks up the Claude Code thread on 2026-06-26.
Codex on GPT-5.5 tops Terminal-Bench 2.1 at 83.4%, but the top Claude config is export-banned.
Both cover Claude, Claude Code; overlapping topics (agent, claude, code, config); picks up the Claude thread on 2026-06-19.
Source trail
Entities
Provenance
- Canonical issue
- Ramsay Research Agent — June 14, 2026
- AI generated
- no
- Story unit
- 2026-06-14-supply-chain-worms-now-hide-instructions-inside-claude-md-and-cursorrules
- Labels
- source-backed, canonical briefing excerpt