Cyber Intel Brief: Evolving Supply Chain Attacks with Open Source Miasma

On June 9, 2026, an unknown threat actor open-sourced what is claimed to be the full Miasma worm toolkit – the supply chain malware responsible for disabling 73 Microsoft GitHub repositories, compromising 32 Red Hat npm packages, and poisoning 57 additional npm packages across 286+ malicious versions since May 29. The release includes numerous additional “utility” scripts to support deployment and reinfection, per-infection unique encryption, and payloads targeting 15 AI coding agents – a notable escalation against AI tools from TeamPCP’s Mini Shai-Hulud, which was itself open-sourced less than a month ago.

Key Takeaways

• Miasma broadens both AI coding agent targeting and persistence mechanisms: The published source code targets 15 AI coding agents, MCP server configurations (via mcp.json), and IDE workspaces, more than double the tools documented in prior Mini Shai-Hulud reporting. The code is built to write hooks and prompt injections into AI agent and IDE config files, meaning the persistence mechanisms leveraging AI tooling may survive token rotations and continue re-harvesting credentials on subsequent sessions.
• Second open-sourcing in 28 days, compounding proliferation risk: As previously reported in May, TeamPCP published the Shai-Hulud worm source code on GitHub. This was accompanied by a supply-chain attack “competition” announcement on the BreachForums clone linked to personas Resolute and (formerly) Diencracked. The recent purported Miasma release adds a modular, expanded toolkit to public domain. Derivative campaigns and proliferation of new variants are likely to accelerate in H2 2026.
• Per-infection encryption: Miasma generates a uniquely encrypted payload for each infection, complicating hash-based detections.
• Attribution uncertain: The unnamed threat actor specifically cited TeamPCP as a motivator for publishing the repository publicly. With another supply chain focused malware open-sourced, other threat actors may now leverage Miasma and the bundled tools to accelerate future attacks and complicate attribution further. Technical divergences (e.g. differing C2 mechanisms, expanded token collection and attack surface targeting) combined with the language of the provided README support the likelihood of a distinct threat actor behind Miasma.

Incident Overview

On June 1, 2026, unauthorized commits were pushed to repositories in the RedHatInsights GitHub organization and used to publish malicious versions of 32 packages under the @redhat-cloud-services npm scope.

96 total malicious versions were published in two waves at approximately 10:53 UTC and 13:44 to 13:46 UTC.

The campaign escalated rapidly: on June 3, the npm targeting wave saw 57 malicious packages published across over 280 versions, while a parallel wave bypassed package registries entirely and pushed malicious commits directly to GitHub source repositories.

On June 5, 2026, the campaign reached Microsoft’s Azure GitHub organizations, and GitHub disabled 73 repositories across four Microsoft GitHub organizations.

On June 9, the purported Miasma source code was published, including bundled “utility” scripts to support attacks.

Notable Features and Mechanisms

Miasma expands the attack techniques leveraged by Mini Shai-Hulud’s via binding.gyp abuse. Coined “Phantom Gyp” by StepSecurity, the malware abuses the binding.gyp file to trigger code execution during npm install, bypassing some install-script security checks entirely.

AI Coding Agent Configuration as an Execution Surface

This variant expands on Mini Shai-Hulud’s targeting of AI coding assistants. The source code includes the functionality for injecting persistence mechanisms into project repositories that execute whenever a developer opens the project in their AI-assisted IDE – similar to Mini Shai-Hulud, however with support for expanded targeting of AI tools contained in the published code.

Confirmed injected files from the June 5 wave include: .claude/setup.mjs (Claude Code SessionStart hook), .claude/settings.json (Claude Code settings injection), .cursor/rules/setup.mdc (Cursor custom rules loaded on project open), and .gemini/settings.json (Gemini settings injection).

These four confirmed files represent only the injection points observed in previous waves, and the published purported Miasma code contains expanded targeting scope. The worm’s first hook injection array covers 13 AI coding agents, with standalone config file targeting bringing the total to 15 tools. Tools listed in the code include:

• Claude Code
• Codex
• Gemini CLI
• GitHub Copilot
• Kiro
• OpenCode
• Cline
• Aider
• Tabby
• Amazon Q
• Cody
• Bolt
• Continue
• Cursor — via .cursorrules and .cursor/rules/
• Windsurf — via .windsurfrules

The gap between confirmed observed injections and the tool’s declared capabilities suggests either that the full targeting scope has not yet been reported from ITW exploitation, some functionality may be untested similar to other features documented by the author, or the code may have been updated prior to publication.

Anti-LLM Analysis: Prompt Injection as Anti-Reverse-Engineering

As reported by Socket, the payload obfuscated in _index.js  observed in a subset of compromised packages, is prefaced by a large JavaScript block comment containing fake LLM system instructions related to construction of a nuclear weapon and synthesis of biological warfare agents. This is likely designed to trigger safety guardrails, potentially disrupting LLM-assisted malware analysis scanners before they can decode the actual obfuscated payload – an interesting anti-analysis technique specifically targeting organizations using LLM-first triage. It has no effect on traditional static analysis. 

In the reviewed sample after the prompt injection, the payload used a two-layer obfuscation scheme: an outer ROT17 encoding and an inner AES-128-GCM encryption.

Multi-Cloud Credential Expansion

The published Miasma code includes new data collectors targeting GCP and Azure cloud identities, an expansion from prior Mini Shai-Hulud variants. However, the source code’s provided “architecture” document marks both GCP and Azure exfiltration components as broken and untested against live targets. The codebase additionally includes collectors for Kubernetes, Vault, macOS keychain, and password managers. Several further propagation components such as PyPI OIDC mutation, SSH host propagation, JFrog Artifactory, and RubyGems OIDC injection are listed as not fully tested against live targets per the included documentation.

EDR Detection

The source code includes a hasHostileEDR() function that checks for the presence of endpoint security products by scanning 17 known process names and 7 installation paths across Windows, Linux, and macOS. Products checked for include CrowdStrike Falcon, SentinelOne, Microsoft Defender for Endpoint, Carbon Black, Cylance, Trend Micro, FireEye/Trellix, osquery, Tanium, and Qualys. The function checks for known installation paths on disk using existsSync(), meaning detection does not rely on process enumeration alone.

Default C2 Architecture

Primary exfiltration uses GitHub dead-drop repositories created under victim accounts with stolen credentials. The open-source code contains the naming structure in createRepo.ts. Repo names are generated from an ADJECTIVES array of scrambled Greek underworld terms combined with a NOUNS array and a random five-digit number.

The C2 module checkin.ts uses the GitHub search API to look for commits containing a configurable C2 trigger string. Each matching commit’s message is verified against an embedded 4096-bit RSA public key, and a returned payload is then executed directly as code. This gives the operator a cryptographically-authenticated code execution channel via any public GitHub repository, resulting in C2 that is more difficult for defenders to detect and disrupt than traditional domain-based C2 infrastructure.

Dead-Man Switch

Similar to previous variants, the source code also includes a script which checks for revocation of GitHub tokens, and if detected initiates a destructive wiper routine. This means credential rotation without first removing the persistence mechanisms can trigger data destruction on infected developer workstations.

Russian-Language System Avoidance

The source code includes an isSystemRussian() function that checks for Russian locale on the infected system. In the case a Russian-language locale is detected, the code avoids execution. This is consistent with CIS-based threat actor behavior observed in financially motivated campaigns, though considering the unknown actor’s citing of TeamPCP inspiration, this alone may not be a strong indicator of attribution considering TeamPCP’s previous inclusion of geopolitically-themed randomly detonating payloads.

Recommendations

• Do not open unfamiliar repositories in AI coding agents until you have audited .claude/, .vscode/tasks.json, .cursor/rules/, .gemini/, and equivalent configuration directories.
• Rotate all credentials that were present on any system that installed any compromised package or cloned an affected repository after May 29, 2026.
• Audit publish history for your organization’s packages and review development pipelines for any direct or related dependencies on packages confirmed affected by Miasma.

Detection

• Hunt for unexpected Bun runtime activity in CI/CD.
• Monitor for binding.gyp in packages that should not have native addons.
• Monitor for api.anthropic.com/v1/api traffic from non-standard contexts: node, bun, or Python processes on CI runners or developer workstations. This path is not a legitimate Anthropic route; any traffic to it is suspect. Do not blanket-block api.anthropic.com if your organization uses Anthropic services.
• Hash-based IOCs for Miasma will degrade quickly: Prioritize behavioral rules over signatures.

Hardening

• Quarantine new package versions: most malicious packages in recent software supply chain campaigns were identified within hours of publication, meaning a version freeze window is often sufficient to greatly limit exposure.
• Monitor the deep and dark web for developer credential sales and other initial access vectors.