The source code for the Miasma credential-stealing worm, an evolution of the earlier Shai-Hulud malware, was intentionally leaked on GitHub through multiple compromised developer accounts in repositories named Miasma-Open-Source-Release. Miasma infects developer machines, steals build environment and cloud credentials, then compromises legitimate repositories to publish trojanized packages that infect downstream developers in an autonomous self-propagating cycle. The malware requires no command-and-control infrastructure, instead using GitHub for that purpose while targeting npm, PyPI, and RubyGems packages, as well as GitHub Actions workflows and JFrog Artifactory instances.
The framework also moves laterally through SSH and AWS Systems Manager, and poisons configurations of AI coding tools including Claude, Gemini, Cursor, Copilot, Kiro, and Cline. A notable feature is a dead-man switch installed when the malware uses a stolen GitHub token as an exfiltration channel, monitoring the token's validity every minute and recursively deleting home and Documents folders if revoked. A five-stage build pipeline generates unique payloads per build using per-file AES-256-GCM encryption, randomized string obfuscation, and three-layer encryption wrappers.
Miasma has previously been linked to high-profile attacks against Red Hat npm packages and 73 Microsoft repositories on GitHub. The leak of Shai-Hulud previously led to more advanced variants and increased attack rates, and similar effects are expected from the Miasma source code leak. Developers are advised to pin dependencies, introduce delays before adopting new package updates, and validate builds in isolated test environments. The malware can also compromise CI/CD systems, password managers, Kubernetes clusters, and secret stores.
Read more...