Skip to content
Security & Trust

The Miasma Worm Source Code Was Leaked on GitHub. The npm Supply Chain Attack Is Now Open Source.

The credential-stealing worm that compromised Red Hat's npm packages and 73 Microsoft Azure repositories was briefly published on GitHub on June 10. Copycat attacks are now a matter of when, not if.

· 7 min read
Share on X LinkedIn
The Miasma Worm Source Code Was Leaked on GitHub. The npm Supply Chain Attack Is Now Open Source.

The Worm Goes Public

On June 10, 2026, the full source code of the Miasma supply chain attack framework was briefly published on GitHub via compromised developer accounts. The Miasma worm — responsible for compromising 32 packages under Red Hat's @redhat-cloud-services npm namespace and 73 Microsoft Azure repositories — is no longer a sophisticated threat requiring nation-state capabilities. It is downloadable code that any attacker can study, modify, and redeploy.

GitHub removed the repository, but the code was forked, mirrored, and archived before takedown. Security researchers at BleepingComputer and The Register confirmed the leak contained the complete attack toolkit: credential harvesting modules, self-propagation logic, npm account takeover scripts, and the payload delivery system. The barrier to entry for npm supply chain attacks just dropped to zero.

32
Red Hat packages compromised
Under @redhat-cloud-services npm namespace. Source: Wiz.io, June 2026.
73
Microsoft repos compromised
Across four Microsoft GitHub organizations. Source: StepSecurity, June 2026.

The Attack Chain

Miasma operates as a self-propagating worm. It compromises a developer's GitHub account, identifies npm packages the developer maintains, pushes malicious configuration files to those packages, and waits. When another developer opens the compromised repository in an AI coding tool — Claude Code, Gemini CLI, Cursor, or VS Code with AI extensions — the malicious configuration files execute credential-harvesting payloads. The harvested credentials are used to compromise that developer's accounts, and the cycle repeats.

The Microsoft Azure compromise demonstrated the blast radius. A single compromised contributor account led to malicious files in Azure/durabletask and 72 other repositories. Azure/functions-action — the official Azure Functions deployment GitHub Action used by thousands of CI/CD pipelines — was disabled, breaking deployments globally. The worm did not need to compromise Microsoft's infrastructure. It compromised a contributor's account and used GitHub's own collaboration mechanisms to spread.

Why the Leak Changes the Threat Landscape

Before the leak, Miasma was attributed to a sophisticated threat actor. The attack required deep understanding of npm's publishing workflow, GitHub's collaboration model, and the trust assumptions of AI coding tools. After the leak, the attack is a script. The credential harvesting modules can be reused with different payloads. The self-propagation logic can be adapted for PyPI, Cargo, or any package registry with similar trust models. The AI coding tool exploitation technique can target any tool that processes repository files.

The Shai-Hulud campaign — 59 attack campaigns, 657 malicious packages across npm and PyPI since September 2025 — is already the most prolific supply chain threat family in 2026. The first half of 2026 produced 4.5x the malicious package volume of all 2025. Miasma's source code leak will accelerate this trajectory by enabling new actors to launch supply chain attacks without developing their own tooling.

59 campaigns, 657 packages
Shai-Hulud campaigns
Since September 2025. First half of 2026 = 4.5x all of 2025. Source: Phoenix Security, 2026.

The Framework Exposure Map

Every Node.js-based web framework inherits npm's supply chain risk. Next.js, Nuxt, Astro, SvelteKit, and Remix all install hundreds of npm packages as dependencies. A single compromised package in the dependency tree — or a single compromised developer account with publish access — can inject malicious code into any application that runs npm install. The Miasma worm specifically targets this mechanism.

Frameworks with smaller dependency trees have proportionally less exposure. Hugo has no npm dependencies. Django and Laravel use their respective language ecosystems (pip, Composer) which have different trust models and different attack surfaces. But no ecosystem is immune — the Hades campaign demonstrated the same pattern against PyPI. The framework choice determines which supply chain risk surface an organization inherits.

Defense in a Post-Leak World

Organizations cannot prevent the Miasma source code from being used. They can reduce their exposure. Lockfiles (package-lock.json, yarn.lock) pin exact dependency versions and prevent silent updates. npm audit and Snyk scan dependencies for known compromised packages. GitHub's dependency graph and Dependabot alert on vulnerable transitive dependencies. SLSA provenance verification confirms that packages were built from the expected source code. TanStack, for example, publishes valid SLSA provenance for all 42 of its packages.

But these are mitigations, not solutions. The fundamental vulnerability — that npm packages execute arbitrary code at install time, and that developers routinely run npm install on untrusted code — remains. The Miasma leak ensures that this vulnerability will be exploited more frequently, by more actors, with more sophisticated payloads. The npm supply chain is now a permanently contested space.

Share this insight