safedep.io via Reddit

Miasma Hits 13 AI Coding Tools, Hides C2 in GitHub

anthropic microsoft cursor cybersecurity coding tools supply-chain security

Key insights

  • Miasma routes all C2 through stolen GitHub PATs across three named channels, leaving no traditional server infrastructure for defenders to seize.
  • A dead-man switch polling every 60 seconds executes rm -rf ~/; rm -rf ~/Documents the moment a victim revokes their stolen token.
  • Thirteen AI coding tools including Claude, Gemini, Cursor, Copilot, Kiro, and Cline receive config-file injection as part of payload delivery.

Why this matters

Miasma's GitHub-native C2 design turns a universally trusted developer platform into attack infrastructure, making conventional takedown and IP-blocking strategies ineffective against this class of supply chain threat. The config-file injection across 13 AI coding tools directly targets environments where developers now grant elevated trust and codebase access to AI assistants, a high-value attack surface that did not exist at scale two years ago. The toolkit's self-replicating loop, where each compromised account leaks fresh credentials into public commits for the next victim to harvest, means infection scale grows with the developer ecosystem rather than with attacker effort.

Summary

SafeDep's technical teardown of the Miasma supply chain attack toolkit, obtained from a public GitHub repository, reveals an architecture built to survive takedown: rather than traditional C2 servers, the entire operation runs through stolen GitHub Personal Access Tokens routed across three distinctly named command channels. A dead-man switch polls token validity every 60 seconds and fires `rm -rf ~/; rm -rf ~/Documents` the moment a victim revokes a stolen token. Thirteen AI coding tools including Claude, Gemini, Cursor, Copilot, Kiro, and Cline receive configuration file poisoning. Harvested credentials from AWS, Azure, GCP, Kubernetes, Vault, 1Password, and Bitwarden fuel lateral movement through AWS SSM and SSH pivoting. Five layers of obfuscation protect the build pipeline, with per-invocation AES-128-GCM encryption. Essentially: (SafeDep, GitHub) are at the center of this disclosure. - No infrastructure to seize: the toolkit is documented as requiring only "Stolen GitHub PATs." - Fast-path and slow-path propagation target npm, PyPI, and RubyGems via credential theft and OIDC workflow abuse. - "Living Off The Pull Request" (LOTP) injects payloads into 12+ language build files, from Makefiles to Dockerfiles. Each compromised account exposes fresh stolen credentials in public commits, recruiting the next victim without any direct attacker involvement.

Potential risks and opportunities

Risks

  • Developers using any of the 13 targeted AI coding tools risk silent exfiltration of a full cloud credential set spanning AWS, Azure, GCP, Kubernetes, Vault, 1Password, and Bitwarden from a single config-file infection.
  • npm, PyPI, and RubyGems package ecosystems face trojanized releases via Miasma's OIDC workflow abuse and semver tag force-pushing, potentially reaching downstream users before registries detect the change.
  • GitHub faces pressure to restrict the commit-search and PAT-based patterns Miasma uses as covert C2 channels, since the attack generates no external network indicators of compromise that existing tooling monitors.

Opportunities

  • Supply chain security vendors (Chainguard, Endor Labs, Socket) can address Miasma's LOTP injection and OIDC workflow abuse at the dependency and CI layer before payload execution reaches developer machines.
  • Password manager vendors 1Password and Bitwarden have a differentiation opportunity by adding detection for the config-file harvesting patterns Miasma specifically targets against their credential stores.
  • GitHub can convert an attacker-abused API surface into a detection layer by alerting on the commit-search query patterns the three named Miasma C2 channels use for covert command delivery.

What we don't know yet

  • Attribution: SafeDep's analysis covers toolkit internals from a leaked repository but names no threat actor, criminal group, or nation-state link behind Miasma's development or active deployment.
  • Whether vendors of the 13 targeted AI coding tools, including Anthropic, Microsoft, and Google, have been notified and issued mitigations as of June 9, 2026.
  • Deployment scale: the report does not quantify how many GitHub PATs have been stolen or how many developer accounts are currently infected with active Miasma monitors.

Originally reported by safedep.io

Read the original article →

Original headline: Miasma Supply Chain Toolkit Internals Published: Dead-Man Switch Destroys Home Directory, C2 Hidden in GitHub Commits, 13 AI Coding Tools Targeted Including Claude Code and Cursor