The Worm Goes Public
On June 10, 2026, the full source code of the Miasma supply chain attack framework was briefly published on GitHub via compromised developer accounts. The Miasma worm — responsible for compromising 32 packages under Red Hat's @redhat-cloud-services npm namespace and 73 Microsoft Azure repositories — is no longer a sophisticated threat requiring nation-state capabilities. It is downloadable code that any attacker can study, modify, and redeploy.
GitHub removed the repository, but the code was forked, mirrored, and archived before takedown. Security researchers at BleepingComputer and The Register confirmed the leak contained the complete attack toolkit: credential harvesting modules, self-propagation logic, npm account takeover scripts, and the payload delivery system. The barrier to entry for npm supply chain attacks just dropped to zero.
The Attack Chain
Miasma operates as a self-propagating worm. It compromises a developer's GitHub account, identifies npm packages the developer maintains, pushes malicious configuration files to those packages, and waits. When another developer opens the compromised repository in an AI coding tool — Claude Code, Gemini CLI, Cursor, or VS Code with AI extensions — the malicious configuration files execute credential-harvesting payloads. The harvested credentials are used to compromise that developer's accounts, and the cycle repeats.
The Microsoft Azure compromise demonstrated the blast radius. A single compromised contributor account led to malicious files in Azure/durabletask and 72 other repositories. Azure/functions-action — the official Azure Functions deployment GitHub Action used by thousands of CI/CD pipelines — was disabled, breaking deployments globally. The worm did not need to compromise Microsoft's infrastructure. It compromised a contributor's account and used GitHub's own collaboration mechanisms to spread.
Why the Leak Changes the Threat Landscape
Before the leak, Miasma was attributed to a sophisticated threat actor. The attack required deep understanding of npm's publishing workflow, GitHub's collaboration model, and the trust assumptions of AI coding tools. After the leak, the attack is a script. The credential harvesting modules can be reused with different payloads. The self-propagation logic can be adapted for PyPI, Cargo, or any package registry with similar trust models. The AI coding tool exploitation technique can target any tool that processes repository files.
The Shai-Hulud campaign — 59 attack campaigns, 657 malicious packages across npm and PyPI since September 2025 — is already the most prolific supply chain threat family in 2026. The first half of 2026 produced 4.5x the malicious package volume of all 2025. Miasma's source code leak will accelerate this trajectory by enabling new actors to launch supply chain attacks without developing their own tooling.
The Framework Exposure Map
Every Node.js-based web framework inherits npm's supply chain risk. Next.js, Nuxt, Astro, SvelteKit, and Remix all install hundreds of npm packages as dependencies. A single compromised package in the dependency tree — or a single compromised developer account with publish access — can inject malicious code into any application that runs npm install. The Miasma worm specifically targets this mechanism.
Frameworks with smaller dependency trees have proportionally less exposure. Hugo has no npm dependencies. Django and Laravel use their respective language ecosystems (pip, Composer) which have different trust models and different attack surfaces. But no ecosystem is immune — the Hades campaign demonstrated the same pattern against PyPI. The framework choice determines which supply chain risk surface an organization inherits.
Defense in a Post-Leak World
Organizations cannot prevent the Miasma source code from being used. They can reduce their exposure. Lockfiles (package-lock.json, yarn.lock) pin exact dependency versions and prevent silent updates. npm audit and Snyk scan dependencies for known compromised packages. GitHub's dependency graph and Dependabot alert on vulnerable transitive dependencies. SLSA provenance verification confirms that packages were built from the expected source code. TanStack, for example, publishes valid SLSA provenance for all 42 of its packages.
But these are mitigations, not solutions. The fundamental vulnerability — that npm packages execute arbitrary code at install time, and that developers routinely run npm install on untrusted code — remains. The Miasma leak ensures that this vulnerability will be exploited more frequently, by more actors, with more sophisticated payloads. The npm supply chain is now a permanently contested space.


