Yes, the miasma worm does this since the new Hades campaign.

Note that the 3rd wave now also uses a pth file in pypi packages that _search system wide_ for any index.js or .github/setup.js to find its own payload. It literally splits up the payload on purpose to avoid detection.

Mitigation Tool: https://github.com/cookiengineer/antimiasma

Technical Blog Post: https://cookie.engineer/weblog/articles/malware-insights-mia...