The Bottom Line: Miasma replicates autonomously across Git repositories and automatically deletes user data when its GitHub token is blocked, with the now-public source code expected to lead to further variants.
The source code of the Miasma worm has surfaced on GitHub after attackers compromised multiple developer accounts. The malware spreads autonomously through software repositories and automatically deletes user data when its GitHub token is blocked.
Security firm SafeDep has reported that the source code of the Miasma attack framework was deliberately published on GitHub under multiple directories labeled “Miasma-Open-Source-Release”. The attack was conducted through compromised software developer accounts. Miasma represents a technological advancement of the earlier worm Shai-Hulud and shares code sections and attack techniques with it. The framework has already been linked to attacks on npm packages from Red Hat and on 73 Microsoft repositories.
The malware employs an autonomous, worm-like self-replication mechanism: it infects the systems of software developers, reads build environments and cloud access credentials, and uses them immediately to compromise legitimate software repositories and software packages. By releasing manipulated versions, downstream developers are infected, allowing the cycle to continue independently. The source code reveals that Miasma abuses GitHub itself as a command channel and requires no separate command-and-control infrastructure. The framework collects access credentials from cloud providers, CI/CD systems, password managers, Kubernetes environments, and secret stores to compromise packages on npm, PyPI, RubyGems, GitHub repositories, and JFrog Artifactory instances.
Particularly critical is an integrated dead man’s switch in the code: when the stolen GitHub token is used as a data channel, a component monitors its validity every minute. If the token is revoked by its owner or by GitHub, the malware automatically executes a destructive command and recursively deletes all files in the home directory and documents folder. This monitoring service runs on Linux as a systemd user service and on macOS as a LaunchAgent for up to 72 hours.
The source code reveals a five-stage build pipeline that generates unique payloads for each compilation. The process combines AES-256-GCM encryption with random string obfuscation, source code transformations, JavaScript obfuscation, and a self-extracting loader. Through this dynamic generation, each file differs structurally from previous versions, making signature-based detection by security systems more difficult. Security experts expect that the publication of the code will lead to numerous modified variants.
Source: www.it-daily.net · Published 16 June 2026
Lumi AI News — AI-assisted curation pursuant to Art. 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.7.1.