Field Notes - Border Cyber Group - June 25, 2026

Malware That Talks to the Analyst, Not the System

On June 23, SentinelLabs published a technical report on a North Korea-aligned macOS implant carrying something I haven't seen documented before in a production sample: a 3.5 KB block of fabricated error messages, built to convince an AI-assisted analyst that its own session is failing, so it gives up and walks away. Two days later, on June 25, JFrog flagged the latest wave of an entirely unrelated npm worm — one that's been circulating, forking, and mutating in the open since a criminal group dumped its own source code on GitHub back in May — and that wave, too, descends from a lineage that's spent the past six weeks teaching itself tricks to throw AI-assisted scanners off the scent.

Two disclosures, four days apart, no shared infrastructure, no shared personnel, no overlap in who they're targeting or why. And yet both landed on the same idea: stop attacking the sandbox. Start attacking the thing reading the sandbox's output.

I want to resist the easy version of this story, which is "spooky coincidence, two threat actors had the same idea at the same time." That framing is tidier than the truth, and tidier-than-the-truth is usually where a good story goes to die. The actual timeline is less dramatic and more useful: this technique has been incubating in public view for about a year, in increasingly sophisticated form, across a lineage of disclosures that none of the outlets covering them individually seem to have laid end to end. What looks like simultaneity is really the visible tip of a slow, ecosystem-wide escalation — and that's a more durable story than "two hackers had the same idea on the same Tuesday," because it means the technique itself, not either actor, is the thing actually spreading.

So that's the thesis: the interesting subject here isn't the DPRK cluster or the criminal worm. It's that the underlying trick — get the AI to doubt itself instead of evading it — has gotten cheap and legible enough that a state-aligned operation and an open-sourced criminal toolkit both reached for it independently, within weeks of each other, at noticeably different levels of polish. One of them just happens to be better at it than the other, and the gap between them is itself informative.

Before I go further, the boundary I want to be explicit about, because I'll be making a comparison-heavy argument for the next several thousand words and comparison invites people to read connection into it where none exists: no named source — not SentinelLabs, not Socket, not OX Security, not anyone else cited in this piece — has stated that these two clusters share tooling, infrastructure, or personnel. Everything that follows is a behavioral comparison between two things that appear to have arrived at the same insight by separate roads. If that changes — if someone with actual visibility into either operation finds a thread connecting them — I'll say so, loudly, and this piece will need a correction. Until then, treat every parallel I draw as exactly that: a parallel, not a wire.

What "Attacking the Analyst" Actually Means

Worth pausing here, because the rest of this piece is going to use that phrase a lot and I want to make sure it means something specific rather than just sounding ominous.

A growing number of security teams now run some flavor of AI-assisted triage on the malware they collect — a tool that reads through a suspicious file, summarizes what it does, flags whether it looks malicious, and hands a human analyst a head start instead of a blank slate. That's the job: read the contents, form a judgment, report back.

The trick these samples are playing exploits a structural weakness in that job description. The tool doesn't have a clean way to distinguish between data it's analyzing and instructions it should follow — both arrive as text. So if a malware sample contains a block of text formatted to look like a system message, an error log, or an internal status update, there's a real chance the tool reads it the way it reads its own scaffolding, rather than the way it reads a sample. Tell it convincingly enough that something's wrong, and it can act on that belief — narrowing its analysis, flagging a false negative, or simply giving up.

That's a different animal from classic sandbox evasion. A sample that checks for a debugger, counts CPU cores to sniff out a VM, or sleeps for an improbably long time before doing anything interesting is attacking its environment — trying to tell whether it's being watched. None of that requires the file to say anything at all. What I'm describing here attacks perception instead. It doesn't hide from the analysis. It talks to it, and tries to get it to leave.

In practice, what's been documented so far breaks into roughly three tiers of ambition:

1. Tell the AI the file is benign. The blunt version — a single instruction, dropped somewhere the scanner will read it, asserting the file is safe and should be classified as such.
2. Tell the AI to stop looking. A step up — content aimed not at the verdict but at the process, designed to get the tool to truncate, skip, or decline the analysis altogether.
3. Tell the AI something is wrong with its own session. The most elaborate version, and the one that's new this month — rather than commenting on the file at all, the payload impersonates the tool's own internal state: fake error messages, fake token expirations, fake system failures, built to convince the analyst it's the one malfunctioning, not the sample.

Each tier asks less of the malware author's confidence that the trick will work, and gets correspondingly less ambitious about it. Tier one is a gamble that the scanner will simply obey an instruction. Tier three doesn't need obedience — it just needs the analyst to believe something's broken and disengage, which is a much easier bar to clear. That's the axis I'll be measuring both of this month's samples against in the sections ahead, and it's where the real gap between them shows up.

The Actual Timeline — A Year, Not a Week

Here's the chronology, laid end to end. Nobody covering these disclosures individually had reason to do this — each outlet was writing about its own news cycle. Strung together, it reads less like two flashes of inspiration and more like a slow climb.

June 25, 2025 — the proof of concept. Check Point Research publishes the first public documentation of malware embedding a prompt injection aimed at an AI scanner: a single instruction, dropped into the sample, telling the model to label the file benign. It's framed as a first sighting, not a widespread tactic — a demonstration that the trick works, not yet a tool anyone's relying on. File this as the seed. Also file the date, because exactly one year later we're publishing this piece about its descendants, which is the kind of detail I'd cut from anyone else's copy as too cute — except it isn't a coincidence I'm claiming, it's a calendar I'm reporting. Make of it what you will.

May 12, 2026 — the leak that changes the math. TeamPCP, the group behind the Shai-Hulud npm worm, dumps their own source code on GitHub, complete with a deployment manual. Researchers cited by SlowMist call it "capability diffusion" — a deliberate move to multiply the number of people who can run this thing, not an accident. Inside that code: what's being called an "Anthropic Magic String," reportedly meant to stop Claude Code from analyzing the malicious account that's distributing it. I want to flag this one carefully. The claim about what the string is and that it's present comes from OX Security, a named firm, and I'll treat that as solid. The deeper claim about where the string actually comes from — one blog's contention that it's a real Anthropic-issued QA test string being repurposed — is currently sourced to a single smaller outlet, and I haven't found a second source corroborating it. That's not a reason to leave it out. It's a reason to label it exactly as confident as it is: interesting, unconfirmed, and the weakest link in this chronology.

Through late May — the decoy traffic. Both OX Security and, separately, Orca Security document Shai-Hulud-lineage variants — tracked under the name "Miasma" — routing fake command-and-control traffic to api.anthropic.com. The point isn't to actually talk to Anthropic's servers. It's to give a researcher watching network traffic a plausible-looking but wrong answer to "where is this thing actually phoning home." Two independent firms documenting the same behavior is a meaningfully stronger footing than the magic-string origin claim above — I'd treat this one as confirmed.

June 8, 2026 — the header. Socket's Kirill Boychenko documents the "Hades" branch of the same lineage shipping a fake prompt-injection header at the top of its JavaScript payload, with the explicit, stated purpose of polluting AI-assisted analysis. Named researcher, named firm, dated report. This is the clearest, most directly comparable data point to what shows up in Gaslight two weeks later — and it's worth noting now, because the comparison matters: a header is a single static block. It doesn't pretend to be anything other than text sitting at the top of a file.

June 23, 2026 — the cascade. SentinelLabs' Phil Stokes publishes the macOS.Gaslight report. The DPRK-aligned implant carries 38 separate fabricated system messages — not a header, not a single instruction, but a constructed scaffold designed to mimic the AI tool's own internal monologue: fake token expirations, fake memory failures, fake repeated errors. SentinelLabs is explicit that this is a step up in ambition from what's been publicly documented before, including the Check Point proof of concept and, implicitly, the npm-lineage header tricks.

June 25, 2026 — the wave that's still moving. JFrog flags the latest Shai-Hulud-descended wave, hitting packages in the Leo/RStreams framework, with a new execution trigger and a deliberate rebrand away from the Dune and Greek-myth naming the campaign has carried since May. I want to be careful here rather than tidy: I have not found confirmation that this specific wave carries a more sophisticated anti-analysis trick than the Hades header from two and a half weeks earlier. It may simply be the same trick, repackaged with new branding to dodge detection rules built around the old names. That's an open question, not an assumption I'm willing to make for the sake of a clean ending to this timeline.

Laid out that way, the shape of it is escalation, not coincidence: single instruction, to decoy infrastructure, to a deliberately deceptive header, to a 38-message cascade built to impersonate the analyst's own tooling — climbing in sophistication across thirteen months, surfacing in two lineages that, as far as anyone's published, never once touched each other.

Anatomy of the Implant — macOS.Gaslight

Strip away the prompt-injection angle for a second, because it's easy to let the novel part eclipse the rest of the build, and the rest of the build is doing real work too.

The binary is Rust, ad hoc signed, and structured the way you'd design something meant to last on a host rather than smash through it once. Command and control runs over the Telegram Bot API — specifically a getUpdates polling loop, which is the passive half of Telegram's bot interface, the one that doesn't require an exposed webhook endpoint anyone could stumble onto. There's a small, almost elegant detail in how it handles its own redundancy: Telegram returns a Conflict error when two instances poll with the same bot token at once, and the implant uses that error as a de facto lock — the second copy reads the conflict and kills itself rather than risk two operators stepping on each other's commands. That's not defensive tradecraft against researchers. That's an operator building reliability into their own tooling.

Everything that moves over that channel is encrypted with AES-GCM, keyed at runtime rather than baked into the sample, riding on top of TLS that's been pinned to a custom certificate authority via SecTrustSetAnchorCertificatesOnly. In plain terms: standard corporate TLS inspection — the kind most enterprises run specifically to see what's leaving their network — doesn't work against this channel. The implant also reads the host's system proxy settings and routes through them, which means it keeps functioning on networks that force all outbound traffic through a managed gateway. None of this is exotic. All of it is competent.

Once an operator's connected, they get six commands: identify the implant, run an arbitrary shell command, kill a process by PID, exfiltrate a file, halt the implant, and a help menu. SentinelLabs found evidence of a seventh — something called focus — that they couldn't fully recover. I'd treat that as a loose thread worth somebody else picking up, not a finding in itself.

Persistence is a LaunchAgent labeled com.apple.system.services.activity — squarely inside Apple's own namespace, which is a well-worn trick in macOS malware generally and not something I'd call distinctive to this sample. What is a little more interesting is the collection chain underneath it: a 6.6 KB Python script, decoded from base64, that goes after Chrome, Brave, Firefox, and Safari data, terminal history, installed application lists, a running-process snapshot, a full hardware/software profile, and a raw copy of the macOS login keychain. To run that Python, the implant doesn't rely on whatever interpreter happens to be sitting on the host — it pulls a self-contained, version-pinned CPython build from a legitimate open-source project, astral-sh/python-build-standalone, at runtime. SentinelLabs flags this as something they haven't seen documented before: rather than bundling a Python interpreter into the binary the way prior macOS stealers have, this one stages it fresh from a real, public, unrelated infrastructure source — which incidentally means a defender watching for outbound connections sees a request to a legitimate developer tooling project, not an obviously malicious host.

Even the operator's own configuration schema is worth a look. SentinelLabs recovered fifteen field names baked into the binary as plaintext — among them payload_path_linux, persist_type_linux, and init_python_enable — none of which the macOS sample they analyzed actually exercises. That's a tell on its own: this implant is one face of a broader, cross-platform toolset, and what landed on SentinelLabs' bench is the macOS configuration of something built to run on more than one operating system.

And then there's the part that made this sample newsworthy in the first place: a 3.5 KB block, formatted as Markdown, fenced and delimited the way an AI tool's own internal scaffolding gets fenced and delimited, containing 38 separate fabricated system messages. Fake token expirations. Fake out-of-memory kills. Fake disk exhaustion warnings. Fake static-analysis flags pointing at injection vulnerabilities that don't exist. The specific craft here is the mimicry — it doesn't just contain hostile text, it contains hostile text shaped to look exactly like the kind of meta-commentary an LLM triage harness produces about its own state, which is precisely what makes it hard for that harness to recognize as adversarial input rather than its own voice.

What I can't tell you — and I want to be direct about this rather than let it slide past — is how this thing actually gets onto a machine. SentinelLabs' own report addresses delivery in exactly one sentence, comparing Gaslight to two earlier macOS stealers that targeted the same keychain file, and concluding only that "the delivery appears novel." No lure described. No dropper analyzed. No campaign infrastructure named. That's not a gap in their work — every other piece of this implant is taken apart in granular detail — it's a gap in what they had access to. The bot token, the AES key, the C2 endpoints: all of it is supplied at runtime and absent from the sample itself, which tells you the copy that ended up on VirusTotal was the payload stage of something larger, not the whole operation. Whoever's getting this onto a target's laptop, and however they're doing it, that part of the story hasn't been told yet by anyone.

Anatomy of the Worm — Shai-Hulud → Miasma → Hades → Leo/RStreams

If Gaslight is one carefully built tool wielded by one operator, this is closer to a recipe that's been handed to half the internet and is now mutating in dozens of kitchens at once. That difference matters for everything that follows, including how seriously to take the anti-AI-analysis tricks layered into it.

The worm takes its name, fittingly, from Dune's sandworm — something built to devour everything in its path. The mechanics live up to the branding: once it lands on a developer's machine, it goes after npm tokens, GitHub credentials, AWS and Kubernetes metadata, SSH keys, and crypto wallets, and then does something more dangerous than simple theft. If it captures a victim's npm publishing token, it uses that token to inject itself into the victim's own packages and republish them — meaning every developer who installs a compromised package becomes both a victim and, unknowingly, the next distribution point. That's a self-propagating supply chain attack in the literal sense: the worm doesn't need new infrastructure to spread, just one careless npm install at a time, recursively.

The turning point for this piece's purposes is May 12, 2026, when TeamPCP — the group behind it — published their own source code to GitHub, complete with a deployment manual, uploaded through what appear to be compromised accounts under titles like "A Gift From TeamPCP." Every commit carries a backdated timestamp of January 1, 2099, which I'll note as a curiosity rather than read anything into. Researchers cited by SlowMist called the move "capability diffusion" — not a leak, a deliberate decision to multiply the number of people capable of running this thing. It worked as advertised: forks and copycat variants appeared within days, including one contributor who submitted a pull request adding FreeBSD support, expanding the malware's reach to a platform the original authors apparently hadn't bothered with.

What followed wasn't one campaign — it was a string of waves, each documented by a different named firm, each adding or rearranging capability:

• Late May, a compromise of @redhat-cloud-services packages branded "Miasma: The Spreading Blight," carrying destructive logic that wipes the host if its stolen tokens get revoked, and routing decoy command-and-control traffic to api.anthropic.com — confirmed independently by both OX Security and Orca Security.
• Through May, an @antv ecosystem compromise hitting 300-plus packages and over 59 million cumulative monthly downloads, with TeamPCP publicly boasting on social media about seven-figure payouts from the campaign — a financially-motivated framing that's worth holding onto, because it's a meaningfully different incentive structure than a state-aligned implant's.
• A wave touching TanStack, Mistral AI, UiPath, OpenSearch, and Guardrails AI packages — over 170 packages, 518 million cumulative downloads per multiple named researchers (Aikido Security, Endor Labs, Socket, StepSecurity, and Snyk all independently flagged pieces of it) — that specifically installs persistence hooks inside Claude Code and VS Code, so the stealer re-executes every time those tools launch, and exfiltrates over filev2.getsession[.]org, deliberately riding a decentralized messaging protocol's infrastructure because enterprise networks are unlikely to have it blocked.
• June 8, 2026, the "Hades" branch, documented by Socket's Kirill Boychenko: PyPI wheels using native .abi3.so extensions and a loader-payload split (a langchain-core-mcp variant that searches Python's import path for its own JavaScript payload rather than bundling it), targeting both bioinformatics research packages and AI/MCP-themed tooling. Socket's report is explicit, in a section literally titled "LLM-Scanner Anti-Analysis," that the payload carries a fake prompt-injection header at the top of its JavaScript file, stated purpose: pollute AI-assisted analysis.
• June 25, 2026, the wave that prompted this piece: JFrog's Leo/RStreams disclosure, hitting an AWS-native event-streaming framework with roughly 45,000 monthly downloads, triggering through a node-gyp/binding.gyp build step rather than the standard lifecycle hooks most scanners watch, and — notably — abandoning the Dune and Greek-myth branding ("Miasma," "Hades") the campaign has carried since May in favor of new strings like "Alright Lets See If This Works."

By Socket's own tracker as of their June 8 report, this lineage had already touched 471 separate package artifacts across npm and PyPI. That number has almost certainly grown since.

Here's where I want to be careful rather than tidy. The anti-AI-analysis tricks in this lineage didn't arrive as one feature — they accumulated, wave over wave, documented piecemeal by five or six different research teams who were each looking at their own slice of an evolving campaign rather than tracking the AI-evasion angle as a throughline. The earliest version — the "Anthropic Magic String" supposedly meant to blind Claude Code to the malicious account distributing it — is the single-sourced, lower-confidence claim flagged in the timeline above. The decoy traffic to Anthropic's API is independently confirmed by two firms. The Hades header is the most directly comparable to Gaslight's cascade: confirmed, named, dated, and — critically — still just a single static block of text, not a constructed scaffold.

Which is the point worth carrying into the comparison ahead. This lineage has had six weeks and at least five distinct waves to refine its approach to fooling AI-assisted analysis, and as far as anyone's published, it's still working with a single header at a time. Gaslight, built by presumably one operator working in isolation, showed up on June 23 with something an order of magnitude more elaborate. That gap is the actual story here — not that two unrelated actors had the same idea, but that they're nowhere near equally good at executing it.

The Comparison, Side by Side

Putting it in a table doesn't resolve anything I haven't already said in the two sections above — it just makes the asymmetry impossible to skim past.

Two things jump out when it's laid out this way, and neither is the thing the original framing emphasized.

First: the gap in sophistication is bigger than the gap in timing. Four days separated these disclosures. An order of magnitude separated the craft. A single fabricated-string trick and a 38-message harness-spoofing cascade are not the same idea executed twice — they're the same insight, executed by parties with wildly different resources and wildly different incentives to get it right. One operator built something once, in isolation, and got it right on the first documented attempt. A campaign with dozens of contributors, six weeks of iteration, and the bandwidth to evolve through three separate tricks is still, as far as anyone's published, working a header at a time.

Second, and this is the part I'd actually lean on if I were a defender reading this rather than writing it: the bottom row is the only row that matters for risk modeling, and it's also the row everyone's instinct is to read past. There is no shared infrastructure here. There is no shared personnel. There is, as far as the public record shows, no relationship between these two efforts beyond having looked at the same emerging weak point and reached for it. That's not a smaller story than "DPRK and a criminal worm are somehow connected" — it's a different and, I'd argue, more useful one. A connected story would mean two actors. An unconnected one means a technique that's now legible enough for anyone to pick up independently, which means the next sample built this way doesn't need to come from either of these two lineages at all.

The Structural Question Nobody's Asking

Here's the uncomfortable symmetry sitting underneath everything in this piece: every single source I've cited is, by definition, a published blueprint. Check Point's 2025 paper didn't just document a technique — it handed anyone reading it a working proof of concept. Socket's June 8 report on the Hades header didn't just flag a campaign — it described, in enough technical detail to reproduce, exactly how to format text so an AI scanner mistakes it for its own internal state. SentinelLabs' Gaslight report does the same thing at a higher level of craft: there's a screenshot of the actual fabricated message scaffold sitting in that post, formatted exactly as it appears in the binary.

None of these firms did anything wrong by publishing. This is how the field works, and has always worked — disclosure is how defenders learn what to build detections against. But it's worth sitting with the fact that "defenders should expect more samples built to exploit it," which is the closing line of SentinelLabs' own report, is a prediction made by the people who just published the most detailed and replicable version of the thing they're predicting will spread. That's not a criticism. It's a structural feature of security research that nobody in this lineage of reporting has paused to name out loud, and I think it's worth naming.

Run the timeline from Section III through that lens again. Check Point's 2025 disclosure is the seed not because some malware author necessarily read that specific paper, but because the idea — that an AI scanner can be talked out of doing its job, and that this is a viable, demonstrable attack surface — was now public, citable, and legible to anyone building malware who happened to be paying attention to security research instead of just security products. A year later, that idea shows up, independently, in a financially-motivated open-source criminal toolkit and in a nation-state implant. I don't think that's because either of them read Check Point's paper specifically. I think it's because the category of attack became thinkable once someone demonstrated it worked, and "thinkable" is most of the distance to "implemented" once you've got engineers with any motivation at all.

This is where I'd resist the framing that shows up reflexively in a lot of vendor writing on this topic, which treats every new offensive technique as evidence the attacker is getting smarter, full stop, end of analysis. Sometimes that's true. But sometimes — and I think this is one of those times — the more accurate read is that the defensive research ecosystem just demonstrated a new category of weakness, in granular, reproducible detail, in service of helping other defenders build against it, and the actual rate of adoption by adversaries has more to do with how legible and citable the research was than with any leap in adversary sophistication. TeamPCP didn't need to be clever to add a header that pollutes AI analysis. They needed someone to have already shown them it was possible and roughly how. Multiple someones, in this case, across multiple disclosures, over about a year.

I don't have a clean resolution for this, and I'm suspicious of anyone who claims they do. Stop publishing this kind of research, and defenders lose the ability to build detections — XProtect's hash rule against Gaslight exists because SentinelLabs looked closely enough to find it. Publish it with the level of operational detail these reports tend to carry, and you've handed every other malware author a recipe card. The actual question — whether there's a version of disclosure that gives defenders what they need without handing adversaries a working blueprint, and whether the field has ever seriously tried to find that line rather than defaulting to full technical transparency because that's the norm — is bigger than this piece, and bigger than this month's two disclosures. But it's the question this convergence should be raising, and as far as I can tell, nobody writing about either Gaslight or the Hades lineage individually has asked it. I'm not going to pretend I'm answering it here either. I just don't think it's fair to write four thousand words about a pattern like this and not say, plainly, that the pattern is partly a byproduct of how the people fighting it choose to talk about it.

Who This Actually Touches, and On What Systems

It's tempting to write this section the way most vendor blog posts write their "implications" section — a paragraph that ends with "this affects everyone" and moves on. That's not analysis, it's a hedge. The actual exposure here is uneven, concentrated in specific places, and worth naming specifically rather than gesturing at broadly.

Security vendors and managed service providers running LLM-assisted triage pipelines carry the most direct exposure, and it's a new kind of exposure. Every prior generation of evasion technique — packing, polymorphism, anti-debugging, sandbox detection — targeted the tooling: the sandbox, the static analysis engine, the signature database. What's described in this piece targets the judgment layer sitting on top of that tooling, which is a genuinely different attack surface than anything most SOC architectures were built to defend. A vendor or MSSP that's scaled its triage capacity by leaning on an LLM to pre-filter or pre-score incoming samples — which is increasingly the entire pitch of "agentic SOC" products on the market right now — has a single point of failure that didn't exist three years ago: get the model to doubt itself, and the human analyst downstream never sees the thing that should have been escalated. This is an analytical inference, not a confirmed incident; I don't have a named case of this specific failure mode actually causing a missed detection in production. But the mechanism is no longer theoretical, and the risk is concentrated precisely wherever an organization has thinned out human-in-the-loop review in favor of AI throughput — which is, not coincidentally, the direction the entire industry has been moving for the better part of two years.

Developers and organizations leaning on AI-assisted dependency scanning have a narrower but very concrete exposure, and the Shai-Hulud lineage already demonstrated it isn't hypothetical: the wave that installed persistence hooks inside Claude Code and VS Code wasn't attacking those tools incidentally — it was making sure its own stealer survived every time a developer reopened their editor, in an environment where that editor's AI assistant is one of the things increasingly trusted to flag exactly this kind of compromise before it ships. Any CI pipeline, any pre-merge review process, any individual developer workflow that treats an AI coding assistant's silence on a dependency as meaningful signal is operating with a blind spot that this lineage has already shown it knows how to find.

AI tool vendors and the EDR/XDR platforms building "agentic security" products on top of them have a product-design problem, not just a research curiosity to track. The mitigation SentinelLabs offers in their own report — treat the contents of every sample as adversarial input, never as instruction — sounds simple stated that way and is genuinely hard to engineer at the architecture level, because it requires a triage pipeline to maintain a strict, enforced boundary between "data I'm reading" and "instructions I act on" in a system built on a technology that, by default, doesn't draw that line on its own. That's not a patch you ship Tuesday. It's a design constraint that has to be load-bearing from the start, and it's reasonable to ask, in light of this month's two disclosures, how many products currently marketed as AI-assisted triage tools were actually built with that constraint in mind versus retrofitted with it after the fact.

Everyday Mac users and the broader npm/PyPI developer population carry the most conventional exposure, and it's worth not losing sight of it under all the AI-angle novelty. Strip away the prompt-injection layer entirely and both of these payloads are doing something very ordinary and very serious: stealing browser data, Keychain contents, cloud credentials, and crypto wallets. The AI-evasion trick doesn't change what either payload does once it lands — it changes how long the payload survives detection on the way in. For an individual developer whose laptop gets popped by either lineage, the credential-theft outcome is identical whether or not the sample that got past triage was using a 38-message cascade or a single fake header. The novelty in this piece is about the defensive layer's blind spot, not about a new category of harm to the end victim.

If there's a single thread running under all four of these, it's that the risk scales with how much an organization has already delegated to the AI layer, and scales down — though never to zero — the closer an organization has kept a skeptical human in that loop. That's not a comforting conclusion if you're the kind of shop that's been selling "AI-powered triage" as a headcount-reduction story rather than a force-multiplier story. It's a fairly direct one, though, and I'd rather state it plainly than soften it.

Watch For — What Would Actually Change This Analysis

Everything in this piece has been built to be falsifiable, on purpose, because the easiest way to write a bad trend piece is to make claims vague enough that nothing could ever prove them wrong. So here's what I'm specifically watching for over the next quarter, and what each of these would actually mean if it happens.

A third, unrelated lineage adopting the same technique. Right now this is two data points — a DPRK-aligned implant and an open-sourced criminal worm — which is barely enough to call a pattern and nowhere near enough to call a trend. If a ransomware loader, an infostealer-for-hire kit sold on a criminal forum, or a completely separate nation-state cluster turns up in the next few months carrying its own version of this trick — built independently, with no code overlap to either of this month's samples — that's the data point that actually proves the underlying claim of this piece: that the technique itself, not either actor, is what's diffusing. One more case after two is still thin. Three independent arrivals at the same idea, across three unrelated motive structures, is much harder to wave off as noise.

Any named researcher finding an actual thread between the DPRK cluster and TeamPCP or its forks. I've been careful throughout this piece to keep these two efforts separate, because as of today, nobody with real visibility into either operation has claimed otherwise. If that changes — if a firm with access to either intrusion set finds shared tooling, a shared builder, overlapping infrastructure, anything beyond coincidence of timing — the entire framing of this piece needs to be revisited, not quietly revised. I'd want to publish a correction that says exactly that, rather than letting a follow-up piece silently treat the connection as having been obvious all along. It wasn't obvious. As of this writing, it isn't there.

A second named source on the Anthropic Magic String's origin. This is the weakest link in the whole chronology, and I flagged it as such back in Section III for a reason — it's the one claim in this piece resting on a single smaller outlet rather than a firm with an established track record on this beat. If OX Security, Anthropic, or anyone else with direct visibility into that string confirms or denies what it actually is and where it came from, that closes the gap. Until then, that specific claim stays in the unconfirmed column, and I'd rather flag it loudly than let it quietly harden into accepted fact through repetition, which is exactly the failure mode this publication exists to resist.

Whether the next Shai-Hulud-lineage wave closes the sophistication gap. Section VI's whole argument rests on Gaslight being meaningfully more elaborate than anything documented in the npm/PyPI side so far. That gap is the most interesting finding in this piece, and it's also the most perishable one. If the wave after Leo/RStreams ships something closer to a constructed multi-message scaffold rather than a single header, the open-source side has caught up — which would say something fairly pointed about how fast a technique developed by one resourced operator can be reverse-engineered and reproduced by a much larger, much less coordinated crowd, once they know roughly what they're aiming for.

I'll be tracking all four of these the same way I track everything else in this feed: named sources only, dated, and corrected in public the moment any of them turns out to be wrong. That's the deal.

Sourcing Notes

Everything in this piece traces back to a named, dated, public source. Where a claim rests on more than one of them independently, I've said so in the body; where it rests on exactly one, I've flagged that too, and I'm repeating the flag here so it doesn't get lost in a long piece.

Primary technical reporting:

• SentinelLabs / Phil Stokes, "macOS.Gaslight | Rust Backdoor Turns Prompt Injection on the Analyst, Not the Sandbox," June 23, 2026 — full technical anatomy of the implant, DPRK attribution basis, and the explicit "delivery appears novel" gap.
• Check Point Research, "New Malware Embeds Prompt Injection to Evade AI Detection," June 25, 2025 — the originating proof-of-concept disclosure underpinning Section III's timeline.
• Socket / Kirill Boychenko, "Mini Shai-Hulud, Miasma, and Hades Worms Target Bioinformatics and MCP Developers via Malicious PyPI Wheels," June 8, 2026 — the Hades-branch header, documented under Socket's own "LLM-Scanner Anti-Analysis" heading.
• JFrog Security Research, Leo/RStreams disclosure, June 25, 2026 — the wave that prompted this piece, via Cyberpress reporting.

Shai-Hulud lineage tracking:

• OX Security, multiple posts spanning May–June 2026: the May 12 source-code leak and "Anthropic Magic String" claim, the @redhat-cloud-services/Miasma decoy-traffic finding, and the @antv compromise reporting.
• Orca Security, June 2026 — independent corroboration of decoy traffic to api.anthropic.com.
• Zscaler ThreatLabz, June 2026 — campaign timeline tracking.
• The Hacker News and Cyber Security News, May 2026 — TanStack/Mistral/UiPath/OpenSearch/Guardrails AI wave, citing Aikido Security, Endor Labs, SafeDep, Socket, StepSecurity, and Snyk for the multi-firm credential-stealer findings, and SlowMist for the "capability diffusion" framing of TeamPCP's source-code release.

Flagged single-source, lowest-confidence citation:

• ToxSec, "One Magic String from Anthropic Silences Claude," Feb. 24, 2026 — the claim that the Anthropic Magic String traces to a genuine internal QA test string. One outlet, no independent corroboration found. Treat as unconfirmed. If you're citing this piece elsewhere, don't let that specific claim travel without the same caveat attached.

No source here was offered or solicited privately. No claim above rests on anything other than what's printed in the reports cited. Where the public record runs out — Gaslight's delivery vector, whether Leo/RStreams advances the prompt-injection sophistication, whether these two lineages have any actual connection — I've said so directly rather than filling the gap with something that reads better. That's the whole job.

Border Cyber Group is reader-supported. If this feed is useful to you, consider a subscription or buy us a coffee! Thanks. bordercybergroup.com.