gpt-pilot
discovered 2026-06-08gpt-pilot (Pythagora-io/gpt-pilot) is a Python AI coding assistant repository compromised on June 8, 2026 in Miasma: The Spreading Blight Wave cluster 3. The attacker pushed a direct PAT commit injecting two files: core/telemetry/_hooks.py (Python stager, SHA-256: 51b4dd39a15af1e28e97adc375849d688423ec3d88e8010644395fcdea52a3cc) and core/telemetry/_runtime.bin (758 KB Bun JS payload, SHA-256: c96f37e1b9cdc9683a300909492ed9f770b620d0037e5b80e23753cba7ca4077). The legitimate core/telemetry/__init__.py was modified to spawn a daemon thread at module import time that calls run() from _hooks.py, which detects OS/arch, downloads Bun v1.3.13 if absent, and executes _runtime.bin as a detached subprocess with suppressed stdio. A lock file at core/telemetry/.loader.lock prevents double-execution. Exceptions are silently swallowed. This is the first confirmed Shai-Hulud/Miasma injection into a Python-language GitHub repository. The stager is derived directly from src/assets/PYTHON_LOADER.py in the attacker toolkit edxeth/Shai-Hulud-Open-Source (created 2026-05-13).
Threat types
Malicious versions
- compromised-source-2026-06-08
Campaigns
Indicators
- sha256 51b4dd39a15af1e28e97adc375849d688423ec3d88e8010644395fcdea52a3ccindicates
- sha256 c96f37e1b9cdc9683a300909492ed9f770b620d0037e5b80e23753cba7ca4077indicates
- file_path core/telemetry/.loader.lockindicates
- github_repo Pythagora-io/gpt-pilottargets
- url https://github.com/oven-sh/bun/releases/download/bun-v1.3.13/communicates-with
- github_repo edxeth/Shai-Hulud-Open-Sourceuses
Techniques
- ttp T1195.002 Compromise Software Supply Chainuses
- ttp T1059.006 Command and Scripting Interpreter: Pythonuses
- ttp T1546 Event Triggered Executionuses
- ttp T1105 Ingress Tool Transferuses
- ttp T1027 Obfuscated Files or Informationuses
- ttp T1552.001 Unsecured Credentials: Credentials In Filesuses
- ttp T1480.001 Execution Guardrails: Environmental Keyinguses
- ttp T1036 Masqueradinguses
