Miasma — Self-Replicating Supply-Chain Attack Toolkit Open-Sourced via Compromised Accounts
AI relevance: The Miasma toolkit is a modular supply-chain weapon that specifically targets AI coding agents and package registries — its public release lowers the barrier for any threat actor to weaponize AI developer tooling against the open-source ecosystem, and its self-replicating design ensures exponential spread through developer workflows.
What happened
- June 8, 2026 — Four previously compromised GitHub accounts published repositories named "Miasma-Open-Source-Release," releasing the full source code of the Miasma self-replicating supply-chain attack toolkit, reported by The Register and SafeDep.
- SafeDep analyzed the toolkit and found it is far more than a worm — it's a modular attack platform targeting PyPI, npm, RubyGems, JFrog Artifactory, GitHub repositories, GitHub Actions, AI coding tool configuration, and SSH-based lateral movement.
- Miasma is an evolved variant of Mini Shai-Hulud, whose source code was previously open-sourced by TeamPCP in mid-May 2026, sparking copycat campaigns across the npm ecosystem.
- The toolkit's self-replicating loop is critical: each compromised account leaks fresh credentials into public commits, which are then harvested to infect the next victim — meaning infection scale grows with the developer ecosystem, not attacker effort.
- Both Mini Shai-Hulud and Miasma run entirely through GitHub — no custom C2 infrastructure required — using stolen Personal Access Tokens routed across three distinct command channels, making traditional network-based detection ineffective.
- Wiz threat researcher Rami McCarthy noted that while the open-source release hasn't yet triggered opportunistic adoption, the pattern mirrors what happened after Mini Shai-Hulud was published: attackers eventually develop private forks, creating clear payload progression chains to track.
- Socket has tracked 473 affected package artifacts across the Miasma campaign to date, including high-profile victims like Vapi.ai SDK (408K monthly downloads) and Red Hat Cloud Services.
Why it matters
The public release of Miasma represents a dangerous inflection point in AI supply-chain security. Unlike traditional malware that requires dedicated operator infrastructure, Miasma's self-spreading design means it can operate autonomously once seeded. The toolkit's explicit targeting of AI coding agents (Claude Code, Cursor, VS Code auto-run hooks) means every developer who uses AI tooling is now on the attack surface. The fact that the worm hides its C2 communications within normal GitHub API traffic means existing network security tools provide no protection. For organizations running AI coding agents at scale, this is a supply-chain risk that operates entirely within trusted developer workflows.
What to do
- Audit GitHub Personal Access Tokens — rotate any tokens with write access to public repositories, especially those held by CI/CD service accounts.
- Disable auto-run hooks in AI coding agents (Claude Code SessionStart hooks, Cursor alwaysApply rules, VS Code folderOpen tasks) on unfamiliar repos until reviewed.
- Enable package registry provenance checks — use PyPI's provenance verification, npm's Sigstore integration, or private registries with integrity validation.
- Monitor for suspicious commit patterns — backdated commits, commits from service accounts, and commits titled "chore: update dependencies" with large binary payloads.
- Segment AI coding agent credentials — don't use the same tokens for AI agent workflows that also have access to package publishing or infrastructure deployment.