"It is a full supply chain attack toolkit that allows the operator to execute various attacks via stolen credentials against arbitrary or targeted packages on public registries (PyPI, npm, RubyGems), JFrog Artifactory, GitHub repositories and GitHub Actions, AI coding tools config poisoning, SSH based lateral movement and other attack vectors," SafeDep researchers wrote after analysing a now-removed repository.
SafeDep finds "Miasma-Open-Source-Release" repositories published from compromised accounts
SafeDep, a company that develops Package Management Guard (PMG) and focuses on open source supply-chain security, said repositories named "Miasma-Open-Source-Release" started appearing on GitHub on Monday and continued to be published over the following 24 hours. The company said the uploads likely used previously compromised developer accounts. SafeDep was able to analyse one of the repositories before GitHub removed it and concluded the release was more than a single worm — it contained a toolkit for executing supply-chain attacks across multiple registries and code-hosting services.
Three GitHub commit-search channels serve as command-and-control
SafeDep's report describes a behavioural shift: the Miasma worm runs entirely in GitHub and uses the platform's commit search as its command-and-control mechanism. The toolkit relies on three independent commit-search channels, each with a different search string and purpose. The channel called "DontRevokeOrItGoesBoom" searches for attacker-controlled personal access tokens (PATs) and exfiltrates credentials; those PATs are encrypted in the commit message using AES-256-CBC. "TheBeautifulSandsOfTime" delivers JavaScript for immediate command execution — the JavaScript is checked once at startup and, after validation, passed to eval() for runtime execution. A third channel, "firedalazer," delivers Python script URLs used by a persistent monitor. All three channels are unauthenticated by default, use GitHub’s public commit search API, and employ different validation or decryption keys, meaning compromise of one channel does not automatically expose the others.
Scale observed so far: Microsoft and Red Hat projects hit; 473 affected artifacts tracked
According to the reporting, Miasma first hit upwards of 100 open source projects associated with Red Hat and Microsoft before spreading to other victims. App-security firm Socket was tracking 473 affected package artifacts as of Tuesday. The public release of the toolkit follows a string of copycat package poisonings after an earlier worm was open sourced.
Precedent: TeamPCP, mini Shai‑Hulud and the risks of open-sourcing toolkits
The Miasma repository is described as an evolution of the "Mini Shai‑Hulud" toolkit attributed to TeamPCP, which was open sourced last month. TeamPCP had publicised a supply-chain attack contest on BreachForums at that time, and the mini Shai‑Hulud release led to copycat open source package poisonings. Rami McCarthy, principal threat researcher at Wiz, told The Register that Miasma was open-sourced on June 8 via four previously compromised users and that Wiz had already reversed the payload prior to the public release. "Since we had already reversed the payload, this public release isn't particularly useful for sophisticated defenders, and we haven't observed any opportunistic adoption of it yet," McCarthy said. He also warned that while open releases can muddy attribution, attackers often retain private forks and continue developing their own payloads, producing a trail of payload progression separate from the public code.
What this means for defenders, open-source maintainers, and adversaries
- Technologists and security teams: SafeDep noted a "key behavioural shift" away from traditional network-based C2 toward entirely platform-hosted operations, which reduces the visibility of network anomaly detection. Defenders will need to monitor application-level behaviour within GitHub, examine commit messages and searches for suspicious patterns, and treat commit search channels as potential C2 paths.
- Open-source maintainers (including affected Red Hat and Microsoft projects): The toolkit’s stated targets include public package registries — PyPI, npm and RubyGems — as well as GitHub Actions and JFrog Artifactory. Maintainers should be aware that previously compromised developer accounts were used to publish the open-source repositories and that commit messages may carry AES-256-CBC encrypted PATs.
- Adversaries and opportunistic attackers: The public release may assist less sophisticated actors but, according to Wiz, has not yet led to observed opportunistic weaponization. The open-source publication does, however, risk muddying attribution while parallel private development by attackers continues.
Conclusion: a platform-native worm changes the defensive calculus
The public release of Miasma's toolkit crystallises two trends documented by researchers: attackers are moving command, control and payload delivery onto code-hosting platforms, and the open-sourcing of toolkits can accelerate copycats even while experienced defenders may already have reversed the payload. SafeDep's observation that defenders "now have to operate closer to application protocol to identify behavioural anomaly instead of network based anomalies" underscores the operational shift. For now, defenders have observed the public code and trackers have catalogued hundreds of affected artifacts, but Wiz's assessment — that opportunistic adoption has not yet been seen — leaves a narrow window for mitigation before the toolkit, or private forks derived from it, are weaponised at scale.
Original reporting: The Register — Miasma supply-chain attack toolkit goes public on GitHub
