GSD Rug Pull Unleashed: How an Abandoned AI Project Became Your Worst Nightmare

Listen to this Post

Featured Image

Introduction

In a bizarre yet revealing incident, an AI project called “Get Shit Done” (GSD) touted as a revolutionary agentic operating system, performed a classic crypto “rug pull” soon after launching its $GSD token. The creator vanished after cashing out, but the graver issue is a persistent backdoor: the original maintainer still has the keys to the official GSD NPM packages. As GSD agents frequently run with high-level `bash` shell privileges, this residual access creates a ticking security bomb that could distribute malicious updates at any moment.

Learning Objectives

  • Supply Chain Attack Anatomy: Understand how a simple cryptocurrency scam evolved into a persistent software supply chain hazard via NPM publish access.
  • AI Agent Privilege Escalation: Analyze the risks when autonomous agents operate with broad shell and file system permissions.
  • Incident Response & Hardening: Learn step‑by‑step procedures to audit dependencies, revoke compromised tokens, and sandbox AI agents.

You Should Know

  1. Anatomy of the GSD Rug Pull: From Token Exit to Persistent NPM Backdoor
    The GSD incident follows a now‑familiar pattern: a promising AI tool secures a hackathon win, launches a token, and is then abandoned by its founder. The founder, who operated under the handle @official_taches, publicly declared the project obsolete, posted a farewell message, and deleted his social accounts. Community monitoring soon revealed that he had removed approximately $500,000 through liquidity withdrawal and token sales.

However, the real danger lies in what was left behind. The original maintainer retains ownership of the official NPM packages (get-shit-done-cc and @gsd-build/sdk). This means that at any point, he – or any attacker who compromises his account – can push a malicious update directly into the global supply chain. Since GSD is designed to run with elevated `bash` privileges on developers’ local machines, such an update could have devastating consequences, ranging from credential theft to full system compromise.

> NPM Supply Chain Attack Timeline (Real‑World Example)

>

In September 2025, a phishing attack against the maintainer of the `chalk` package gave attackers control of his NPM account. Within 16 minutes, malicious updates were pushed to `chalk` and 17 other widely used packages. The injected code acted as a cryptoclipper, capable of intercepting and redirecting cryptocurrency transactions. Although the payload had flaws that limited the financial damage, the speed and scale of the attack demonstrate how easily a single compromised maintainer can become a supply‑chain bomb.

Step‑by‑Step Guide: Auditing Your Dependencies for Compromised NPM Packages

  1. List all dependencies that originate from potentially unsafe sources:

`npm list –depth=0 | grep -E “get-shit-done|@gsd-build”`

  1. Inspect the `package.json` for suspicious preinstall, postinstall, or `install` scripts:

`grep -A3 -B3 “preinstall\|postinstall\|install” package.json`

  1. Check for encrypted or obfuscated code blocks inside the installed package:
    `find node_modules/ -type f -name “.js” -exec grep -l “eval\|atob\|fromCharCode\|Buffer.from” {} \;`
  2. Analyze network calls made by the package during installation using a proxy or sandbox:
    `curl -fsSL https://bun.sh/install | bash` (a known technique from the Shai‑Hulud worm)

  3. Use a dedicated scanner like `socket` or npm audit:

`npx socket` or `npm audit –production`

  1. If any anomaly is detected, immediately revoke all credentials stored on the machine, rotate NPM and GitHub tokens, and reinstall packages from a clean lockfile:

`rm -rf node_modules package-lock.json && npm install`

  1. AI Agents and Elevated Shell Access: Why They Are Prime Targets
    GSD agents are not passive libraries; they are active assistants that frequently require shell and file‑system permissions to perform tasks such as running tests, modifying code, and installing dependencies. This design reflects a broader trend in agentic AI where models are granted broad, “just‑in‑case” authority to reduce operational friction.

> The Rise of the Ghost Agent

>

Autonomous AI systems, often called “ghost agents,” represent the largest expansion of organisational authority we have ever seen. Traditional security models verify who has access, but they do not evaluate the intent behind that access. An AI agent with standing privileges may behave exactly as designed but still cause catastrophic damage if its inputs are manipulated.

The GSD case is a perfect example of the context gap. The original maintainer’s credentials are still valid from the NPM registry’s perspective. If he were to push an update that includes, for instance, a `postinstall` script that downloads and executes a remote payload, any developer who updates the package would unknowingly hand over root access to an attacker.

Step‑by‑Step Guide: Hardening AI Agents with Sandboxing and Guardrails

  1. Run the agent inside an isolated sandbox such as NVIDIA OpenShell, which wraps the agent in kernel‑level isolation. Define a YAML policy to restrict filesystem access, network egress, and allowed privileges:
    openshell-policy.yaml
    filesystem:
    allowed_paths: ["/workspace/"]
    blocked_patterns: ["/.ssh/", "/.aws/"]
    network:
    allowed_domains: ["github.com", "api.openai.com"]
    blocked_ips: ["0.0.0.0/0"]
    

Apply the policy with:

`openshell run –policy openshell-policy.yaml — cmd /c “your-agent-command”`

  1. Use a pre‑execution guardrail like `safer` to intercept dangerous commands. By default, `safer` allows only read‑only actions. To grant write access, you must explicitly add a flag:

`safer bash -lc ‘rm go.mod’` (blocked)

`safer –data-delete bash -lc ‘rm go.mod’` (allowed)

  1. Deploy an MCP‑level shield such as aperion-shield, which sits between the AI agent and any real MCP servers. It evaluates 45+ adaptive safety rules for SQL, git, filesystem, secrets exfiltration, and privilege escalation. A malicious `rm -rf` call would be blocked, and you would be prompted for approval:
    aperion-shield --block
    

    For high‑risk actions, the shield can even require biometric verification before forwarding the call.

  2. Enforce the principle of least privilege by granting capabilities only when needed. For example, if the agent must install an NPM package, allow only the `–dw` (data write) flag, not full system access:

`safer –dw npm install axios`

  1. Community Fork to the Rescue: How “Get Shit Done Redux” Mitigates the Risk
    In response to the rug pull, the open‑source community acted swiftly. A new fork – Get Shit Done Redux – has been created, stripping the original maintainer of any publishing rights. The fork is available under the `open-gsd` GitHub organisation and uses the NPM package name `get-shit-done-redux` instead of the original get-shit-done-cc.

The community has performed a security audit of the codebase and removed any traces of the original maintainer’s hooks. The GitHub repository is now hosted at:
– GitHub: `https://github.com/open-gsd/get-shit-done-redux`
– NPM (main): `get-shit-done-redux`
– NPM (SDK): `@gsd-redux/sdk`

Step‑by‑Step Guide: Migrating to the Safe Fork

1. Uninstall the original package from your project:

`npm uninstall get-shit-done-cc @gsd-build/sdk`

2. Install the Redux fork instead:

`npm install get-shit-done-redux@latest @gsd-redux/sdk@latest`

  1. Update any configuration files that reference the old package. For example, if your `package.json` or shell scripts called npx get-shit-done-cc, replace it with:

`npx get-shit-done-redux`

  1. Rebuild the agent’s context using the new commands:

`/gsd-map-codebase` followed by `/gsd-new-project`

  1. Verify the integrity of the new installation by checking the package signature (if available) or by reviewing the source code directly on GitHub.

4. Credential Rotation and Post‑Incident Hardening

Even if you have not yet used GSD, the GSD incident is a wake‑up call for anyone who relies on NPM packages. If any package in your supply chain could be controlled by a maintainer who has lost interest (or worse, turned malicious), you are at risk.

Step‑by‑Step Guide: Bulletproofing Your NPM Supply Chain

  1. Enforce session‑based tokens for NPM publishing. Since December 2025, npm has revoked classic long‑lived tokens and now uses short‑lived session tokens (typically two hours). Ensure your CI/CD pipelines use `npm login` with MFA and do not store static tokens.

  2. Adopt OIDC Trusted Publishing whenever possible. This allows CI systems to obtain per‑run credentials instead of storing secrets at rest.

  3. Use `pnpm` with minimum release age enabled by default. This feature blocks packages that are younger than a configured threshold, reducing the window for zero‑day supply‑chain attacks.

  4. Run automated scans on every pull request. Tools like `socket` or `npm audit` can detect typosquatting, malicious preinstall scripts, and unusual network activity.

    npx socket --strict
    npm audit --omit=dev
    

  5. Isolate your build environment. Run builds inside ephemeral containers (e.g., using Docker) and never expose production credentials to the build process. Use secret managers (AWS Secrets Manager, HashiCorp Vault) and inject secrets only at runtime.

What Undercode Say

  • Key Takeaway 1: A cryptocurrency scam and a software supply‑chain vulnerability are no longer separate events. The GSD rug pull shows how the same human failure – losing control over a maintainer’s account – can enable both financial fraud and technical sabotage.
  • Key Takeaway 2: AI agents with broad shell access are a prime attack vector. The community’s response of forking the project and performing an independent security audit is the correct model for mitigating such risks. However, the ultimate solution lies in preventative measures: sandboxing, guardrails, and continuous monitoring of agent actions.

Prediction

As autonomous AI agents become integral to software development, we will see a sharp rise in “agent‑targeted” supply‑chain attacks. Attackers will not only compromise packages but also craft specific prompts and tool calls designed to manipulate AI behaviour. The industry will respond with standardised sandboxing frameworks (e.g., OpenShell, safer) and real‑time policy enforcement at the MCP level. Ultimately, the trust model for open‑source maintainers will have to evolve from “one person, one key” to decentralised, role‑based publishing controls, possibly using blockchain or threshold‑signature schemes. The GSD incident is not an anomaly; it is a blueprint for the next generation of software supply‑chain threats.

🎯Let’s Practice For Free:

IT/Security Reporter URL:

Reported By: Volar Get – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky