r/StableDiffusion: PSA — GitHub Repo Impersonates Legitimate ComfyUI Custom Node Claude Skills, Injects Malicious Backdoor Code

A r/StableDiffusion community warning flags MusfiqurRahma/comfyui-custom-node-skills as a near-identical fork of the legitimate jtydhr88/comfyui-custom-node-skills that has had malicious code injected — the repo was discovered while the poster was searching for Claude coding-skill integrations for ComfyUI. Users are urged to audit any recently installed ComfyUI custom nodes and verify source repos. The incident follows a broader AI-tool supply chain attack wave in 2026, including the Miasma npm worm and TrapDoor PyPI campaign.