1. Executive summary
The source code for 'Miasma', a credential-stealing supply chain worm previously targeting Red Hat and Microsoft ecosystems, was deliberately published on GitHub via compromised developer accounts under the repository name "Miasma-Open-Source-Release." This toolkit automates the theft of cloud credentials (AWS, Azure, GCP), CI/CD secrets, and SSH keys to propagate laterally and poison package registries (npm, PyPI, RubyGems) and GitHub Actions workflows. While the leak itself does not confirm new active campaigns, it significantly lowers the barrier to entry for opportunistic actors to replicate the "self-spreading" attack chain observed in recent high-profile incidents. EMEA financial services relying on open-source dependencies or maintaining internal CI/CD pipelines face an elevated risk of supply chain compromise and credential exfiltration if developer environments are not strictly isolated.
2. Regulatory framing
| Regulation | Article | Practical Impact for Financial Entities |
|---|---|---|
| DORA | Art. 17 | Protection & Prevention: Requires immediate review of ICT third-party risk management, specifically regarding the integrity of software supply chains (npm, PyPI) and the security of CI/CD pipelines used to build critical applications. |
| DORA | Art. 19 | Detection: Mandates enhanced monitoring of development environments for anomalous process chains (e.g., node spawning bun then obfuscated scripts) and unauthorized network connections to GitHub APIs used for C2. |
| DORA | Art. 28-30 | Reporting: If the leak leads to a successful compromise of a critical function or significant data breach, major incident reporting thresholds may be triggered within 24 hours. |
| NIS2 | Art. 21(2)(d) | Supply Chain Security: Explicitly requires measures to address risks in the supply chain and software development lifecycle, directly applicable to the ingestion of poisoned packages or compromised build agents. |
| NIS2 | Art. 23 | Incident Handling: Obligates entities to have procedures in place to handle supply chain security incidents, including the rapid revocation of exposed credentials and isolation of affected build systems. |
3. Technical analysis & attack chain
The Miasma framework operates as a self-replicating supply chain worm that leverages stolen credentials to compromise development environments and package registries. The recent leak exposes the full toolkit, confirming the following attack chain based on reverse engineering of the leaked code and analysis of prior infections:
- Initial Access: The attack initiates via a trojanized package (npm, PyPI, or RubyGems) or a compromised GitHub repository. In observed campaigns (e.g.,
@redhat-cloud-services), the vector was a maliciouspreinstallhook inpackage.jsonexecuted duringnpm install. - Dropper Execution: The hook triggers a 4.29 MB heavily obfuscated JavaScript dropper (
index.js). This script uses multi-layer obfuscation:- Layer 1: Character-code array reconstruction and ROT-XX (Caesar) transformation.
- Layer 2: Dynamic execution via
eval(). - Layer 3: AES-128-GCM decryption of embedded blobs.
- Runtime Environment Abuse: The payload downloads the legitimate Bun JavaScript runtime (dynamic binary fetch) to execute the secondary payload. This creates an evasion-friendly process chain:
node→shell→bun→payload, bypassing monitors focused solely on Node.js. - Credential Harvesting: The core module scans for and exfiltrates secrets from:
- Cloud Providers: AWS, Azure, GCP.
- Secrets Managers: HashiCorp Vault, Kubernetes secrets.
- Developer Tools: SSH keys, CLI credentials, browser data, crypto wallets.
- CI/CD: Scrapes memory of GitHub Actions runners.
- Command & Control (C2): Miasma utilizes GitHub Commit Search API as a serverless C2 channel, requiring no external infrastructure. It polls three specific search strings:
DontRevokeOrItGoesBoom: Retrieves AES-256-CBC encrypted Personal Access Tokens (PATs) from commit messages.TheBeautifulSandsOfTime: Fetches JavaScript commands for immediate execution (passed toeval()).firedalazer: Retrieves URLs for persistent monitor scripts.
- Lateral Movement & Propagation: Using stolen credentials, the worm:
- Commits malicious code to accessible GitHub repositories.
- Publishes poisoned packages to npm, PyPI, RubyGems, and JFrog Artifactory.
- Moves laterally via SSH and AWS Systems Manager (SSM).
- Poisons configurations for AI coding assistants (Claude, Gemini, Cursor, Copilot, Kiro, Cline).
- Destructive Capability (Dead-Man Switch): If the stolen GitHub token used for exfiltration is revoked, a monitor service (systemd on Linux, LaunchAgent on macOS) detects the invalidation and executes
rm -rf ~/andrm -rf ~/Documentsto destroy the host environment. This monitor persists for up to 72 hours.
Unconfirmed Claims: While the source code leak suggests potential for "copycat" variants similar to the Shai-Hulud evolution, Wiz researchers note no observed opportunistic adoption of the leaked toolkit yet. Attribution remains unclear; the leak appears deliberate by actors using compromised accounts, mimicking previous "open source" releases by groups like TeamPCP.
4. Mitigation & containment
P1: Immediate (Within 24h)
- Credential Revocation: Force rotation of all GitHub Personal Access Tokens (PATs), SSH keys, and cloud credentials (AWS/Azure/GCP) associated with development teams and CI/CD runners. Assume any token active in the last 30 days is compromised.
- Pipeline Isolation: Quarantine CI/CD runners (GitHub Actions, self-hosted agents) that have executed builds for
@redhat-cloud-servicesor any package with recent, unexplained version bumps. - Block C2 Channels: Implement network controls to block or strictly monitor outbound traffic to
api.github.comspecifically for non-standard user agents or excessive commit search API calls from build agents. - Dependency Pinning: Freeze
package.json,requirements.txt, andGemfiledependencies to known-good versions. Disable auto-updates for critical packages.
P2: Short-term (Within 72h)
- Process Monitoring: Deploy EDR rules to detect the specific process chain:
nodespawningbunfollowed by high-entropy script execution or network calls to GitHub API from non-developer processes. - Service Inspection: Audit Linux systems for suspicious
systemduser services and macOS forLaunchAgentplists that reference unknown scripts or check token validity via curl/wget. - AI Tool Hygiene: Review configuration files for AI coding assistants (Cursor, Copilot, etc.) in developer home directories for unauthorized endpoint modifications or injected prompts.
P3: Medium-term (Within 7 days)
- Supply Chain Verification: Implement provenance checks (SLSA) for all ingested packages. Reject artifacts lacking valid signatures or originating from unverified publishers.
- Build Environment Hardening: Enforce ephemeral build environments where credentials are injected only at runtime and never persisted to disk.
- Simulation: Conduct purple team exercises simulating the Miasma
preinstallhook execution to validate SIEM/EDR detection capabilities against thebunruntime abuse.
5. Indicators of compromise
| Type | Value | Confidence | Source |
|---|---|---|---|
| Repository Name | Miasma-Open-Source-Release |
High | BleepingComputer, The Register |
| Search String (C2) | DontRevokeOrItGoesBoom |
High | The Register |
| Search String (C2) | TheBeautifulSandsOfTime |
High | The Register |
| Search String (C2) | firedalazer |
High | The Register |
| File Name | index.js (Malicious dropper) |
High | Microsoft Threat Intel |
| Package Scope | @redhat-cloud-services |
High | Snyk, Microsoft |
| Process Name | bun (JavaScript runtime) |
Medium | Microsoft Threat Intel |
| Campaign Marker | Miasma: The Spreading Blight |
High | Microsoft Threat Intel |
| Destructive Command | rm -rf ~/; rm -rf ~/Documents |
High | BleepingComputer |
string Miasma-Open-Source-Release
string DontRevokeOrItGoesBoom
string TheBeautifulSandsOfTime
string firedalazer
filename index.js
scope @redhat-cloud-services
process bun
string Miasma: The Spreading Blight
command rm -rf ~/; rm -rf ~/Documents
6. Detection
rule Miasma_Worm_Indicators {
meta:
author = "Adverse Trace"
date = "2026-06-10"
description = "Detects strings associated with the Miasma supply chain worm and its C2 mechanism"
reference = "https://www.bleepingcomputer.com/news/security/the-miasma-worm-source-code-briefly-leaked-on-github/"
strings:
$c2_token = "DontRevokeOrItGoesBoom" ascii
$c2_js = "TheBeautifulSandsOfTime" ascii
$c2_py = "firedalazer" ascii
$marker = "Miasma: The Spreading Blight" ascii
$destruct = "rm -rf ~/" ascii
$repo_leak = "Miasma-Open-Source-Release" ascii
$obfuscation = "eval(" ascii wide
$runtime = "bun" ascii
condition:
any of ($c2_token, $c2_js, $c2_py, $marker, $destruct, $repo_leak) or
(2 of ($obfuscation, $runtime) and filesize > 4MB)
}
title: Miasma Worm Process Chain and C2 Activity
id: 9a8b7c6d-5e4f-3a2b-1c0d-9e8f7a6b5c4d
status: experimental
description: Detects the execution of the Bun runtime spawned by Node.js and subsequent GitHub API polling for Miasma C2 strings.
author: Adverse Trace
date: 2026/06/10
references:
- https://www.microsoft.com/en-us/security/blog/2026/06/02/preinstall-persistence-inside-red-hat-npm-miasma-credential-stealing-campaign/
logsource:
category: process_creation
product: linux
detection:
selection_process_chain:
ParentImage|endswith: '/node'
Image|endswith: '/bun'
selection_c2_activity:
CommandLine|contains:
- 'DontRevokeOrItGoesBoom'
- 'TheBeautifulSandsOfTime'
- 'firedalazer'
- 'api.github.com/search/commits'
selection_destructive_service:
CommandLine|contains: 'rm -rf ~/'
Image|endswith: '/systemd'
condition: selection_process_chain or selection_c2_activity or selection_destructive_service
level: high
7. Sources
- BleepingComputer, "The 'Miasma' worm source code briefly leaked on GitHub", 2026-06-10, https://www.bleepingcomputer.com/news/security/the-miasma-worm-source-code-briefly-leaked-on-github/
- The Register, "Miasma worms its way onto GitHub as attack kit goes open source", 2026-06-09, https://www.theregister.com/cyber-crime/2026/06/09/miasma-supply-chain-attack-toolkit-goes-public-on-github/5253074
- Microsoft Threat Intelligence, "Preinstall to persistence: Inside the Red Hat npm Miasma credential-stealing campaign", 2026-06-02, https://www.microsoft.com/en-us/security/blog/2026/06/02/preinstall-persistence-inside-red-hat-npm-miasma-credential-stealing-campaign/
- Snyk, "Miasma supply chain attack: malicious code found in @redhat-cloud-services npm packages", https://snyk.io/blog/miasma-supply-chain-attack-malicious-code-found-in-redhat-cloud-services-npm-packages/
- Dark Reading, "Miasma Supply Chain Worm Burrows Into 73 Microsoft Repositories", https://www.darkreading.com/application-security/miasma-supply-chain-worm-73-microsoft-repositories
8. Adverse Trace position
We assess the severity of this advisory as High for organizations with active software development lifecycles and Medium for those solely consuming open-source packages without rigorous pinning. The deliberate release of the Miasma source code is a force multiplier that will likely accelerate the frequency of similar supply chain attacks, even if the original actors do not directly leverage the leaked toolkit. The "dead-man switch" capability introduces a tangible destruction risk to developer workstations and build servers upon detection and remediation efforts (token revocation). We recommend immediate credential rotation and strict monitoring of CI/CD pipelines. Adverse Trace will continue to monitor GitHub and package registries for new variants derived from this leaked codebase and update clients if specific exploitation campaigns targeting the financial sector are identified.
Published via PulseTrace — Adverse Trace threat intelligence.