The ‘Miasma’ worm source code briefly leaked on GitHub
The Miasma worm is a credential-stealing attack framework targeting open-source ecosystems via supply-chain attacks. Its source code was deliberately leaked on GitHub by threat actors. Miasma infects developer machines, steals build environments and cloud credentials, and uses them to compromise repositories and packages, publishing trojanized versions to propagate further. It operates without traditional command-and-control infrastructure, using GitHub as its control channel. The malware harvests credentials from various sources and can move laterally through SSH and AWS SSM. It also includes a destructive dead-man switch that deletes user files if stolen tokens are revoked. The leak of Miasma's source code is expected to increase attack rates and variants, posing significant risks to open-source supply chains. Developers are advised to pin dependencies, delay adoption of new packages, and validate builds in isolated environments.
AI Analysis
Technical Summary
Miasma is an advanced worm-like credential-stealing framework that targets open-source software supply chains by compromising developer machines and cloud credentials. It autonomously propagates by trojanizing legitimate repositories and packages across ecosystems such as npm, PyPI, and RubyGems, as well as GitHub repositories and CI/CD workflows. The malware uses GitHub itself as a command-and-control channel, eliminating the need for external infrastructure. It harvests secrets from cloud providers, CI/CD systems, password managers, Kubernetes, and secret stores, and can move laterally via SSH and AWS Systems Manager. A notable feature is a dead-man switch that triggers destructive file deletion if stolen GitHub tokens are revoked. The source code leak on GitHub was deliberate, mirroring a previous leak of the related Shai-Hulud worm, and is expected to accelerate the development and deployment of more sophisticated variants, increasing the threat to open-source ecosystems.
Potential Impact
The leak of Miasma's source code enables threat actors to create customized variants that can rapidly compromise developer environments and open-source supply chains. This can lead to widespread injection of trojanized packages and repository compromises, undermining the integrity of software dependencies used globally. The malware's ability to steal cloud and build credentials, move laterally, and evade detection through advanced obfuscation techniques increases the risk of persistent and hard-to-detect supply-chain attacks. The destructive dead-man switch also poses a risk of data loss if stolen tokens are revoked. Overall, this elevates the threat level to open-source software development and distribution processes.
Mitigation Recommendations
No official patch or fix is applicable since this is malware source code leakage rather than a software vulnerability. Developers should mitigate risk by pinning project dependencies to known good versions, introducing multi-day delays before adopting newly released package updates, and validating new builds in isolated test environments. These measures help detect trojanized packages before they affect production environments. Monitoring for unusual repository or package activity and promptly revoking compromised credentials are also advisable. Security teams should be aware of the potential for destructive dead-man switches triggered by token revocation.
The ‘Miasma’ worm source code briefly leaked on GitHub
Description
The Miasma worm is a credential-stealing attack framework targeting open-source ecosystems via supply-chain attacks. Its source code was deliberately leaked on GitHub by threat actors. Miasma infects developer machines, steals build environments and cloud credentials, and uses them to compromise repositories and packages, publishing trojanized versions to propagate further. It operates without traditional command-and-control infrastructure, using GitHub as its control channel. The malware harvests credentials from various sources and can move laterally through SSH and AWS SSM. It also includes a destructive dead-man switch that deletes user files if stolen tokens are revoked. The leak of Miasma's source code is expected to increase attack rates and variants, posing significant risks to open-source supply chains. Developers are advised to pin dependencies, delay adoption of new packages, and validate builds in isolated environments.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Miasma is an advanced worm-like credential-stealing framework that targets open-source software supply chains by compromising developer machines and cloud credentials. It autonomously propagates by trojanizing legitimate repositories and packages across ecosystems such as npm, PyPI, and RubyGems, as well as GitHub repositories and CI/CD workflows. The malware uses GitHub itself as a command-and-control channel, eliminating the need for external infrastructure. It harvests secrets from cloud providers, CI/CD systems, password managers, Kubernetes, and secret stores, and can move laterally via SSH and AWS Systems Manager. A notable feature is a dead-man switch that triggers destructive file deletion if stolen GitHub tokens are revoked. The source code leak on GitHub was deliberate, mirroring a previous leak of the related Shai-Hulud worm, and is expected to accelerate the development and deployment of more sophisticated variants, increasing the threat to open-source ecosystems.
Potential Impact
The leak of Miasma's source code enables threat actors to create customized variants that can rapidly compromise developer environments and open-source supply chains. This can lead to widespread injection of trojanized packages and repository compromises, undermining the integrity of software dependencies used globally. The malware's ability to steal cloud and build credentials, move laterally, and evade detection through advanced obfuscation techniques increases the risk of persistent and hard-to-detect supply-chain attacks. The destructive dead-man switch also poses a risk of data loss if stolen tokens are revoked. Overall, this elevates the threat level to open-source software development and distribution processes.
Mitigation Recommendations
No official patch or fix is applicable since this is malware source code leakage rather than a software vulnerability. Developers should mitigate risk by pinning project dependencies to known good versions, introducing multi-day delays before adopting newly released package updates, and validating new builds in isolated test environments. These measures help detect trojanized packages before they affect production environments. Monitoring for unusual repository or package activity and promptly revoking compromised credentials are also advisable. Security teams should be aware of the potential for destructive dead-man switches triggered by token revocation.
Technical Details
- Article Source
- {"url":"https://www.bleepingcomputer.com/news/security/the-miasma-worm-source-code-briefly-leaked-on-github/","fetched":true,"fetchedAt":"2026-06-10T20:28:56.210Z","wordCount":848}
Threat ID: 6a29c9080e53e73883925a79
Added to database: 6/10/2026, 8:28:56 PM
Last enriched: 6/10/2026, 8:29:06 PM
Last updated: 6/10/2026, 9:33:34 PM
Views: 7
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.