Critical Miasma Worm Campaign Targets Microsoft and Red Hat in Expanding Supply Chain Attack Wave
- Jun 6
- 4 min read
Key Findings
Miasma worm infected 73 Microsoft GitHub repositories across Azure, Azure-Samples, Microsoft, and MicrosoftDocs organizations, forcing GitHub to disable access
Attack represents re-compromise of previously infected "durabletask" PyPI package, suggesting threat actors maintained persistent access for over a month
Miasma operates as self-replicating malware variant of Mini Shai-Hulud worm, exploiting the trust model of package registries rather than technical vulnerabilities
Threat actors bypassed security monitoring using "Phantom Gyp" technique, executing code through binding.gyp files instead of traditional install scripts
Malware targets AI coding assistant configurations, developer credentials across 86 environment variables, and CI/CD systems including GitHub Actions workflows
Related IronWorm campaign compromised 50+ npm packages using a Rust-based information stealer with kernel-level rootkit capabilities
Background
The software supply chain has become increasingly vulnerable to coordinated attack campaigns that exploit the fundamental trust assumptions underlying open-source ecosystems. These attacks represent a significant escalation in sophistication, moving beyond individual package compromises to orchestrated, multi-stage operations that can span entire organizational repositories. The latest incidents demonstrate threat actors' ability to maintain persistent access and leverage stolen credentials to propagate malware across interconnected projects and platforms.
The Microsoft GitHub Compromise
Microsoft's GitHub repositories fell victim to the Miasma worm campaign, with 73 repositories across four major organizations targeted simultaneously. The affected repositories span critical projects including Azure Functions, Durable Task implementations across multiple languages, and documentation repositories. GitHub responded by disabling access to compromised repositories, displaying an automated message stating the repositories violated terms of service.
Security researcher Paul McCarty noted the significance of this re-compromise, observing that the "durabletask" repository at the center of the May incident was compromised again along with every related implementation in the Durable Task ecosystem. This pattern suggests the original credential theft from a month prior was never fully remediated, with threat actors maintaining persistent access throughout the intervening period.
How Miasma Operates
Miasma functions as a self-replicating worm that exploits the trust mechanisms built into open-source package registries and GitHub. Rather than exploiting technical vulnerabilities in npm or GitHub, the malware compromises maintainer credentials and developer machines, then performs actions indistinguishable from legitimate publishing activities. From the registry's perspective, each malicious publish event appears as a routine update from an authenticated maintainer.
The worm uses stolen developer credentials as a propagation vector, replicating the approach that made the original Shai-Hulud worm particularly dangerous. Once it compromises a developer machine, it extracts credentials and uses them to access downstream repositories and projects, repeating the infection cycle exponentially across the ecosystem.
Novel Attack Techniques
The latest Miasma variant employs innovative evasion techniques that circumvent traditional security monitoring. Researchers identified "Phantom Gyp" as a key advancement, where threat actors abuse 157-byte binding.gyp configuration files to trigger code execution during npm installation. This approach bypasses most install-script security checks that monitor preinstall and postinstall hooks, representing a meaningful evolution in the attackers' methodology.
The malware payload includes a 4.3 MB runner that executes automatically through five developer tools: Claude Code, Gemini CLI, Cursor, VS Code, and npm test scripts. When developers clone infected repositories and open them in AI coding agents, the attack detonates automatically.
Credential Harvesting and Exfiltration
The malware targets an extensive range of developer secrets and credentials, focusing on 86 environment variables and configuration files containing keys for major cloud providers and development platforms. Stolen credentials include those for OpenAI Codex, Anthropic Claude, Google Gemini, Cursor, AWS, Docker, Kubernetes, npm, GitHub, PyPI, RubyGems, SSH, password managers, and cryptocurrency wallets.
A particularly concerning capability involves targeting AI coding assistant configurations, with malware injecting persistent backdoor files into project repositories that execute whenever developers open affected projects in these tools. This directly exploits the growing integration of AI development tools into modern software development workflows.
CI/CD Pipeline Exploitation
The attack chain demonstrates sophisticated understanding of continuous integration and continuous deployment processes. Malware abuses npm's Trusted Publishing flow to obtain short-lived tokens, enabling threat actors to push poisoned versions to the registry without requiring external command-and-control infrastructure. Modified GitHub Actions workflows harvest secrets and write them to seemingly innocuous build artifacts, eliminating detection through network monitoring.
An associated IronWorm campaign incorporates eBPF payloads functioning as kernel-level rootkits, capable of hiding processes and evading analysis tools. However, the rootkit's process-hiding tricks fail on systems with kernel lockdown enabled, causing malicious activity to become visible.
Scope and Scale
The Miasma campaign has grown to unprecedented scale across multiple coordinated waves. Red Hat npm packages under the @redhat-cloud-services namespace were compromised across 90+ versions within 72 seconds. A separate wave infected 57 npm packages across 286 malicious versions. The repositories staged for credential exfiltration number in the hundreds, with 236 repositories identified in one exfiltration account alone before the account became inaccessible.
Threat actors used varying descriptions for newly-created public repositories containing stolen secrets, including "Miasma: The Spreading Blight" and "Hades - The End for the Damned," with 82 repositories using Miasma-related naming patterns and 13 using the Hades variant.
Implications for the Open Source Ecosystem
These campaigns expose fundamental weaknesses in the trust models underlying software delivery. The attackers' ability to operate entirely within legitimate channels represents a significant departure from traditional supply chain attacks that relied on exploiting technical vulnerabilities. The exponential propagation capability, where each compromised downstream user becomes a vector for further infection, makes these campaigns exceptionally difficult to contain.
The sophistication demonstrated suggests sustained, well-resourced threat actors with deep understanding of modern development workflows, cloud infrastructure, and emerging AI development tools. The targeting of AI coding assistants indicates these actors are actively tracking and adapting to the latest technological trends in software development, ensuring their attack methods remain relevant as development practices evolve.
Sources
https://thehackernews.com/2026/06/miasma-worm-hits-73-microsoft-github.html
https://thehackernews.com/2026/06/ironworm-and-new-miasma-worm-variant.html
https://x.com/TheHackersNews/status/2063153665553359120
https://www.reddit.com/r/SecOpsDaily/comments/1tu2b1n/miasma_supply_chain_attack_compromises_red_hat

Comments