bleepingcomputer.com via Reddit

Miasma Worm Source Code Briefly Exposed on GitHub

cybersecurity open source coding tools ai-security supply-chain

Key insights

  • Miasma uses GitHub as its own C2 infrastructure, eliminating the need for external command servers and complicating takedowns.
  • A dead-man switch destroys data if stolen GitHub tokens are revoked, punishing defenders who try to cut access.
  • SafeDep linked the framework to attacks on Red Hat npm packages and 73 Microsoft GitHub repositories.

Why this matters

Miasma directly targets the CI/CD pipelines and cloud credentials that AI and software teams depend on, meaning a single infected developer machine can cascade into full infrastructure compromise. Its design as a no-C2 worm using GitHub as command-and-control makes it unusually resistant to traditional network-based blocking, forcing teams to rethink token hygiene and repository access at the architecture level. With source code now exposed, security teams face a narrow window before refined variants with modified signatures begin circulating and defeating current detection rules.

Summary

Miasma's source code was briefly published to GitHub in June 2026, per SafeDep researchers. An evolution of the Shai-Hulud worm, it targets developer machines, harvesting CI/CD and cloud credentials before publishing trojanized packages downstream. It uses GitHub as its own C2 infrastructure and includes a dead-man switch executing destructive commands if stolen tokens are revoked. A five-stage build pipeline produces AES-256-GCM encrypted payloads. It has been linked to Red Hat npm packages and 73 Microsoft GitHub repositories. Essentially: (SafeDep) a worm that turns the developer toolchain against itself. - Lateral movement via SSH and AWS Systems Manager exposes cloud infrastructure directly. - Source-code leaks historically accelerate variant development across the ecosystem.

Potential risks and opportunities

Risks

  • Red Hat and Microsoft, with repositories already linked to Miasma activity, face potential customer audits and security inquiries if downstream packages remain unverified.
  • Developers who pulled from affected Red Hat npm packages or Microsoft GitHub repositories before the June 2026 disclosure may be running trojanized code with no public list of affected package versions yet released.
  • The source code leak makes Miasma's AES-256-GCM payload pipeline available to anyone, accelerating variant development and increasing exposure for CI/CD pipelines before new detection signatures are deployed.

Opportunities

  • GitHub can build proactive token anomaly detection using the leaked Miasma source code, converting the exposure into a defensive product for developers already running CI/CD through its platform.
  • AWS has a direct product case to promote hardened Systems Manager access controls given Miasma's documented use of the service for lateral movement.
  • SafeDep and similar supply-chain security researchers who analyzed Miasma are positioned to offer managed detection services before variants emerge from the leaked code.

What we don't know yet

  • The exact publication date beyond 'June 2026' has not been publicly confirmed, leaving defenders without a precise exposure window.
  • Whether GitHub has fully removed the leaked repositories or if accessible mirrors persist is not addressed in the reporting.
  • Attribution for who leaked the source code and whether the release was intentional or accidental remains unresolved in public reporting.

Originally reported by bleepingcomputer.com

Read the original article →

Original headline: Miasma Supply-Chain Worm Source Code Deliberately Leaked to GitHub Through Compromised Developer Accounts