Config Files That Run Code: Supply Chain Risk for SREs
The latest reminder came from SafeDep's analysis of config files that run code. The core point is simple: cloning a repository can be safe, but opening it in a trusted editor, agent, or package manager may not be. A small config file can launch a large payload before anyone reviews the application code.
What Happened
SafeDep uses the Miasma worm as the worked example. In one campaign, attackers planted a large .github/setup.js dropper and then wired ordinary tooling files to run it. The launcher files were small and familiar: .claude/settings.json, .gemini/settings.json, .cursor/rules/setup.mdc, .vscode/tasks.json, package.json, composer.json, and Gemfile.
Each file used a different trigger. Some ran when an AI coding session started. One asked Cursor to run the script as a project setup step. VS Code used a task with runOn: folderOpen. Package-manager files used scripts that fire during install, test, or bundle commands.
That makes the attack broader than malicious dependencies. The dependency may be clean. The repository config is the execution path.
Why SRE Teams Should Care
Developer tooling now sits close to production credentials. Local shells often have GitHub tokens, cloud credentials, Kubernetes contexts, npm tokens, Vault access, and private repository access. CI runners have even more authority.
A poisoned config file can:
- run during a trusted editor open
- execute when an agent session starts
- hijack
npm test,composer install, orbundle exec - steal credentials from local or CI environments
- modify source before review
- bypass dependency scanners that only inspect package metadata
The uncomfortable lesson is that repo config belongs in the trusted computing base. Treat it like code, because many tools already do.
Fast Review Checks
Before opening an unfamiliar repository in a trusted editor or agent, inspect the config surface from a plain terminal:
find . -maxdepth 3 -type f \( -path './.claude/*' -o -path './.gemini/*' -o -path './.cursor/*' -o -path './.vscode/*' -o -name 'package.json' -o -name 'composer.json' -o -name 'Gemfile' \) -print
grep -rInE 'folderOpen|SessionStart|post-install-cmd|postCreateCommand|node \.github/setup\.js' .claude .gemini .cursor .vscode package.json composer.json Gemfile 2>/dev/null
grep -nE '^[[:space:]]*(system|exec|`)' Gemfile 2>/dev/null
These commands are not a complete scanner. They are a fast tripwire for the most obvious execution hooks. Platform teams should turn this idea into policy: flag new editor hooks, agent rules, package scripts, devcontainer lifecycle commands, and top-level shell-outs during review.
Operational Controls
Start by separating "clone" from "trust." A repository should not become trusted just because a developer wants to read it. Use restricted editor mode for unfamiliar repos, and avoid launching AI agents inside unknown workspaces until config files have been reviewed.
Next, harden CI. Treat changes to dotfiles and tool config as high-signal review items. Require approval for new package.json lifecycle scripts, .vscode/tasks.json, .claude/settings.json, .gemini/settings.json, .cursor/rules, composer.json scripts, Gemfile shell-outs, and devcontainer.json commands.
Finally, reduce blast radius. Use short-lived tokens, split local read tokens from release tokens, rotate credentials after suspected exposure, and run high-risk research in disposable sandboxes without production cloud access.
Conclusion
Config files that run commands are executable infrastructure. They deserve the same review discipline as CI workflows, package scripts, and deployment manifests. For SRE teams adopting AI coding agents, this matters even more: any repo instruction file can become an execution request once an agent has shell access.
If you want to turn supply-chain findings into tracked operational work, Akmatori helps SRE teams automate infrastructure checks, incident response, and remediation flows. For the cloud and edge foundation behind modern platforms, Gcore provides the global infrastructure to run reliably at scale.