Miasma’s GitHub attack toolkit goes open source, after SafeDep spotted repos Monday

A supply-chain attack toolkit called “Miasma-Open-Source-Release” landed on GitHub, and SafeDep says the repos started appearing Monday, then got taken down after researchers analyzed one. The twist is not just that Miasma is spreading, but that the full “self-spreading malware’s source code” was published as an open-source release, apparently using previously compromised developers’ accounts.

SafeDep is the company behind Package Management Guard (PMG), and it spotted the malicious repositories that were built to help an operator “execute various attacks via stolen credentials against arbitrary or targeted packages” on public registries like PyPI, npm, and RubyGems, plus JFrog Artifactory, GitHub repositories, and GitHub Actions. SafeDep researchers also describe it as more than a simple package poisoning worm. The toolkit includes AI coding tool configuration poisoning, SSH-based lateral movement, and other attack vectors.

So what changed for the people responsible for keeping software ecosystems safe? Miasma follows a recent pattern: attackers running in GitHub itself, without needing custom command-and-control infrastructure. SafeDep points to this as a “key behavioural shift” because traditional network-based defenses often rely on baselining and anomaly detection at the network layer. When the actions are conducted through GitHub as the execution and routing layer, the detection problem moves closer to application protocol and behavioural anomaly. In plain terms, your logs and your security monitoring have to understand what “normal GitHub activity” looks like for code execution, credential handling, and exfiltration, not just whether traffic is weird.

The Register also reports that Wiz principal threat researcher Rami McCarthy told it the public release is not particularly useful for sophisticated defenders because “we had already reversed the payload,” and SafeDep researchers had analyzed one repository before GitHub removed it. That sounds like a relief, but the story still matters operationally because open-sourcing a working toolkit can accelerate copycat attempts, increase the number of actors testing it, and muddy attribution. McCarthy said this mirrors what happened when TeamPCP open sourced its mini Shai-Hulud toolkit last month, and he added that they “haven't observed any opportunistic adoption of it yet.”

The background is unusually active. Miasma reportedly hit upwards of 100 Red Hat and Microsoft open source projects before spreading to other victims. Security firm Socket tracked 473 affected package artifacts as of Tuesday. The latest development sits in the same broader line as other recently seen worms. The source notes TeamPCP developed and then open sourced a mini Shai-Hulud worm last month, announcing a supply-chain attack contest on BreachForums and spawning copycat open-source package poisonings. The implication for boards and executive risk committees: these are not one-off incidents, they are emerging tactics that are easier to reproduce when code becomes public.

McCarthy also highlighted how attackers typically keep a private fork. He said it is “not clear [whether] attackers benefit from adopting this out-of-the-box toolkit versus vibe coding their own,” and that attackers “tend to continue developing their private fork of the malware.” That matters for forensic planning. If defenders start seeing open-source version signatures, they must also assume the private variants will evolve faster, and the open version may change monitoring and response priorities even if it is not the endgame.

Now the technical mechanism, because this is where defenders will feel the pain. The Miasma worm uses three independent GitHub commit search channels for C2, and each has a different search string and purpose. All three are unauthenticated by default and use GitHub’s public commit search API. Compromise does not automatically cascade across the channels because each uses a different validation or decryption key, which means a breach of one part does not instantly reveal the others.

One channel, “DontRevokeOrItGoesBoom,” is aimed at discovering attacker-controlled personal access tokens (PATs) for exfiltrating credentials and other sensitive data. Those PATs are AES-256-CBC encrypted in the commit message. The second, “TheBeautifulSandsOfTime,” delivers JavaScript for immediate command execution. It is checked once at startup, and after validation, the payload is passed to eval() to execute at runtime. The third, “firedalazer,” delivers Python script URLs for a persistent monitor. The overall theme is that GitHub commits become both the delivery mechanism and the control plane.

This is the part executives need to internalize: the move into GitHub means the “where” of the attack is the platform your teams rely on for collaboration. That changes policy, monitoring, and incident response design. If attackers are using GitHub for remote command execution, configuration changes, and data exfiltration, then security programs have to treat GitHub activity as part of the application surface, not a neutral hosting layer. That also affects how you evaluate governance: access controls for developers, safeguards around secrets, review workflows for sensitive configurations, and how quickly you can identify malicious patterns in repository and workflow behavior.

If you are a founder, CTO, CFO, or board member reviewing cyber risk, this story is a reminder that supply-chain security is now about ecosystems plus execution. Miasma’s open-source release is not guaranteed to be the “best” version or the fastest to adopt, especially given McCarthy’s point that payloads had already been reversed. But it still raises the bar for everyone defending software distribution and development pipelines. The strategic stakes are simple: if attackers can weaponize GitHub itself as both delivery and control without bespoke infrastructure, your next incident may start as “normal” Git operations and end as “we just lost credentials.”