Miasma Malware Source Code Leaks on GitHub After Supply Chain Attacks

News
Milan Stanojevic
Milan Stanojevic Shield
Windows Toubleshooting Expert
News
Reading time icon 4 min. read

Calendar icon Published on

maisama github
Image credit: GitHub

The source code for the Miasma credential-stealing framework briefly appeared on GitHub after being uploaded through multiple compromised developer accounts. Security researchers warn that the leak could help other threat actors adopt, modify, and improve the malware, potentially leading to more software supply-chain attacks.

Miasma has recently been linked to several attacks targeting open-source ecosystems and is considered an evolution of the earlier Shai-Hulud worm. The framework focuses on stealing developer, cloud, and build-system credentials before abusing them to compromise legitimate repositories and software packages.

According to SafeDep researchers, the leaked source code appeared in repositories named “Miasma-Open-Source-Release” across multiple compromised GitHub accounts. Researchers believe the publication was likely intentional rather than accidental, mirroring the previous public release of Shai-Hulud’s source code.

Miasma turns stolen credentials into supply-chain compromises

Miasma infects developer machines and harvests credentials from a wide range of services and platforms. Once attackers obtain those credentials, they can compromise legitimate repositories, publish malicious package updates, and spread malware to downstream developers and organizations.

The framework is capable of targeting:

  • Cloud provider credentials
  • CI/CD environments
  • Password managers
  • Kubernetes environments
  • Secret management systems
  • GitHub repositories and GitHub Actions workflows
  • JFrog Artifactory instances
  • npm, PyPI, and RubyGems packages

Researchers say Miasma has also been linked to the recent compromise that affected 73 Microsoft repositories hosted on GitHub. By abusing trusted software distribution channels, attackers can quickly transform a single compromised developer account into a much larger supply-chain incident.

GitHub serves as both control channel and data exfiltration platform

One of the more unusual aspects of Miasma is that it does not rely on traditional command-and-control infrastructure. Instead, the framework uses GitHub itself as both a control mechanism and an exfiltration channel.

This approach allows attackers to blend malicious activity into normal developer workflows while reducing the need for dedicated attacker-controlled infrastructure.

The malware can also move laterally through environments using SSH and AWS Systems Manager. Researchers found that Miasma is capable of poisoning configuration files used by several AI coding assistants, including Claude, Gemini, Cursor, Copilot, Kiro, and Cline.

Leaked code reveals destructive dead-man switch

One of the most concerning discoveries in the leaked source code is a built-in “dead-man switch.”

When attackers use a victim’s stolen GitHub token as an exfiltration channel, the malware continuously checks whether that token remains valid. The component verifies token status every minute.

If the token gets revoked, the malware executes destructive commands that delete files from the victim’s home directory and Documents folder.

The persistence mechanism varies by operating system. On Linux systems, the malware uses a systemd user service, while on macOS it relies on a LaunchAgent. Researchers also found that the monitoring component can remain active for up to 72 hours.

This feature appears designed to punish victims who revoke compromised credentials while simultaneously destroying potential forensic evidence.

Advanced build pipeline creates unique malware samples

SafeDep’s analysis also uncovered a sophisticated five-stage build pipeline used to generate unique malware payloads.

The process includes per-file AES-256-GCM encryption for embedded assets, randomized string obfuscation, source code transformations, JavaScript obfuscation, and a self-extracting loader.

Researchers said the final payload is wrapped in three separate layers of encryption. Random keys and randomized encoding ensure that each build differs from previous versions.

This makes signature-based detection significantly more difficult and complicates static malware analysis.

Open-source ecosystems remain under pressure

The public release of Miasma’s source code could increase risks across the open-source ecosystem as additional threat actors gain access to the framework’s techniques and capabilities.

The incident highlights the growing threat posed by software supply-chain attacks, which increasingly target developers and package maintainers rather than end users directly. Recent incidents include the TanStack supply-chain attack, which GitHub linked to an internal repository breach.

The growing wave of attacks is also one reason why GitHub is preparing major security changes in npm v12. The upcoming release will require explicit approval before installation scripts execute and will introduce stricter controls for non-registry dependencies in an effort to reduce supply-chain attack risks.

Via BleepingComputer

More about the topics: Github, malware

Milan Stanojevic

Milan Stanojevic Shield

Windows Toubleshooting Expert

Milan has been enthusiastic about technology ever since his childhood days, and this led him to take interest in all PC-related technologies. He's a PC enthusiast and he spends most of his time learning about computers and technology. Before joining WindowsReport, he worked as a front-end web developer. Now, he's one of the Troubleshooting experts in our worldwide team, specializing in Windows errors & software issues.

Readers help support Windows Report. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help Windows Report sustain the editorial team. Read more

User forum

0 messages