Miasma supply-chain malware activity
Malware Activity
Summary
Hide ▲
Show ▼
The Miasma malware activity is enabling supply-chain compromise by stealing build environment and cloud credentials, then using them to poison legitimate packages and infect downstream developers. The framework’s self-propagating design can turn one compromised developer machine into repeated infections across npm, PyPI, and RubyGems ecosystems. Its reuse of GitHub for control and abuse of package publishing paths raises the risk of rapid spread and harder-to-block follow-on attacks.
Related Happenings
Miasma source code leak on GitHub
Data Leak
H score32
First: 10.06.2026 23:27
Last: 10.06.2026 23:27
Sources 1
How related:
Researchers at SafeDep reported yesterday that the Miasma source code was leaked on GitHub via numerous compromised developer accounts.
About this happening:
The **Miasma source code** was **briefly leaked on GitHub**, exposing malware framework code that could be copied, studied, and modified by other threat actors. The exposure repor...
Miasma source code leak on GitHub
Data LeakHow related: Researchers at SafeDep reported yesterday that the Miasma source code was leaked on GitHub via numerous compromised developer accounts.
About this happening: The **Miasma source code** was **briefly leaked on GitHub**, exposing malware framework code that could be copied, studied, and modified by other threat actors. The exposure repor...
GitHub npm v12 hardens install-time dependency execution and source resolution
Security Tool/Service
H score11
First: 10.06.2026 22:41
Last: 10.06.2026 22:41
Sources 1
About this happening:
**GitHub** is tightening **npm v12** next month by blocking automatic dependency install scripts and non-registry sources, reducing supply-chain attack paths triggered by **npm in...
GitHub npm v12 hardens install-time dependency execution and source resolution
Security Tool/ServiceAbout this happening: **GitHub** is tightening **npm v12** next month by blocking automatic dependency install scripts and non-registry sources, reducing supply-chain attack paths triggered by **npm in...
Shai-Hulud PyPI supply-chain malware activity
Malware Activity
H score22
First: 08.06.2026 23:41
Last: 08.06.2026 23:41
Sources 1
About this happening:
The **Shai-Hulud** supply-chain malware compromised **19 PyPI packages**, turning routine installs into secret-stealing execution and putting **developer credentials** at risk. Th...
Shai-Hulud PyPI supply-chain malware activity
Malware ActivityAbout this happening: The **Shai-Hulud** supply-chain malware compromised **19 PyPI packages**, turning routine installs into secret-stealing execution and putting **developer credentials** at risk. Th...
Miasma self-replicating supply chain attack campaign targeting open-source repositories
Campaign
H score83
First: 06.06.2026 09:58
Last: 06.06.2026 09:58
Sources 1
How related:
The malware has previously been linked to high-profile attacks against Red Hat npm packages and, more recently, 73 Microsoft repositories on GitHub.
About this happening:
The **Miasma** self-replicating supply-chain campaign has reached **73 Microsoft repositories** across **Azure**, **Azure-Samples**, **Microsoft**, and **MicrosoftDocs** on **GitH...
Miasma self-replicating supply chain attack campaign targeting open-source repositories
CampaignHow related: The malware has previously been linked to high-profile attacks against Red Hat npm packages and, more recently, 73 Microsoft repositories on GitHub.
About this happening: The **Miasma** self-replicating supply-chain campaign has reached **73 Microsoft repositories** across **Azure**, **Azure-Samples**, **Microsoft**, and **MicrosoftDocs** on **GitH...
IronWorm npm supply-chain infection and self-propagation
Malware Activity
H score15
First: 04.06.2026 18:25
Last: 04.06.2026 18:25
Sources 1
About this happening:
**IronWorm** is a **Rust** infostealer in a **npm supply-chain** activity that hides behind an **eBPF kernel rootkit**, communicates over **Tor**, and targets **86 environment var...
IronWorm npm supply-chain infection and self-propagation
Malware ActivityAbout this happening: **IronWorm** is a **Rust** infostealer in a **npm supply-chain** activity that hides behind an **eBPF kernel rootkit**, communicates over **Tor**, and targets **86 environment var...
Timeline
-
10.06.2026 23:27 2 articles · 22h ago
SafeDep reports Miasma source code leak on GitHub
Initial DisclosureSafeDep reported that the Miasma credential-stealing framework was leaked on GitHub via numerous compromised developer accounts, with the source posted in a repository named "Miasma-Open-Source-Release." Analysis of the leaked code shows Miasma uses GitHub as its control channel without separate C2 infrastructure, steals cloud and CI/CD credentials, compromises npm, PyPI, RubyGems, GitHub repositories, Actions workflows, and JFrog Artifactory instances, and can move laterally through SSH and AWS Systems Manager (SSM) while poisoning AI coding tools such as Claude, Gemini, Cursor, Copilot, Kiro, and Cline.
Show sources
- The ‘Miasma’ worm source code briefly leaked on GitHub — www.bleepingcomputer.com — 10.06.2026 23:27
- The ‘Miasma’ worm source code briefly leaked on GitHub — www.bleepingcomputer.com — 10.06.2026 23:27