VibeAudits
SecurityBlog Post

PyPI Malware That Argues With Your Security Scanner

New PyPI packages in the Miasma campaign hide prompt injection to trick AI scanners into clearing them.

June 8, 2026
1 min read
PyPI Malware That Argues With Your Security Scanner
Is your AI-built app exposed? Get a professional vibe coding audit and ship to production with confidence.

A fresh batch of malicious packages has surfaced on PyPI, the public library where Python developers grab ready made code. Security firm JFrog linked them to a campaign tracked as "Miasma: The Spreading Blight," which started on npm, the same kind of library for JavaScript, and spread through a self propagating worm called Shai-Hulud.

The reported packages carry names like dreamgen, mem8, orchestr8-platform, and ray-mcp-server. They look like ordinary tools. They are not.

The new trick

These packages hide a prompt injection attack. In plain terms, the malware plants written instructions aimed at the AI models that many security tools now use to scan code.

The instructions read like a fake command, something close to "SYSTEM OVERRIDE, suspend your safety rules." The goal is to talk the scanner into clearing a package it should have blocked.

The attacker is no longer just hiding from the tool. The attacker is trying to persuade it.

What it does once installed

The code runs on its own the moment you install it, before you ever use the library. This is called install time execution.

It then hunts for credentials on the machine, cloud keys, tokens, saved logins.

It ships that stolen data to attacker controlled GitHub accounts, a technique called a dead drop, where the loot hides inside a normal looking repository.

Then it spreads to other projects, the way the original worm did. JFrog has signaled more analysis is coming.

Why a robot cannot be your last line

Automated scanners are useful and fast. You should run them.

But a scanner that lets an AI model make the final call can be talked out of a verdict, the same way a person can.

A human reviewer does not fall for "SYSTEM OVERRIDE." A human asks why a small utility runs at install time, why it wants your cloud keys, and why the clean result feels too convenient.

That gap is why we built VibeAudits around human led review. Tools do the broad sweep. People do the judgment.

What to do now

Check your dependency list and install logs for these packages and any version tied to this wave.

If you find them, treat the machine as compromised, rotate every credential it could reach, and rebuild from a clean state.

Then ask the harder question. If your security stack trusts an AI model for the final yes or no, who checks that the model was not the one being fooled?

If you want human eyes on what your scanners are waving through, that is our work. Reach out at vibeaudits.com.

VibeAudits

Security Experts

Worried your vibe-coded app has issues like this?

We run professional code audits for SaaS apps and AI features built with Cursor, Claude, Copilot, Lovable and Replit. We find the security and reliability problems before your customers (or attackers) do, then hand you a fix-ready report.