The source code for the Miasma credential-stealing attack framework was briefly made public on GitHub before being taken down, BleepingComputer reported on June 10, 2026. The exposure, even if short-lived, raises significant concerns about the proliferation of supply chain attack tooling.
Background: What Is Miasma?
Miasma is a sophisticated self-spreading worm framework designed to conduct supply chain attacks across open-source ecosystems. It first came to widespread attention in mid-2026 after a series of coordinated attacks targeting npm, PyPI, and GitHub repositories. The framework is capable of:
- Credential theft from developer machines via compromised packages
- Self-propagation through poisoned dependencies that spread to downstream packages
- CI/CD pipeline compromise by stealing GitHub tokens and secrets
- Cross-ecosystem spreading across npm, PyPI, and Go modules
The Miasma worm was responsible for attacks that compromised major packages including targets in the TanStack ecosystem, Mistral AI, and Guardrails AI — infections that cascaded into breaches at organizations including GitHub, Grafana, and OpenAI.
The Leak
According to BleepingComputer, an unknown actor briefly published what appears to be the Miasma source code to a public GitHub repository on or around June 10, 2026. GitHub removed the repository after it was flagged, but not before the code was likely mirrored or archived by other parties.
The leak may have been:
- A deliberate publication by a disgruntled insider or rival threat actor
- An accidental exposure through a misconfigured private repository
- A deliberate information operation intended to democratize the attack tooling
This pattern mirrors the Shai-Hulud worm source code release from May 2026, where TeampCP released the worm's code publicly — an act that immediately spawned a wave of copycat infections.
Why This Is Significant
The public availability of sophisticated worm source code dramatically lowers the barrier to entry for supply chain attacks. Previously, mounting a Miasma-style attack required significant technical expertise. With source code available — even briefly — the knowledge can propagate through threat actor communities, enabling lower-skill actors to adapt and deploy the framework.
Security researchers noted that within hours of the Shai-Hulud source release in May 2026, new variant infections began appearing across npm. A similar acceleration is now possible with Miasma.
Recommended Defensive Actions
For organizations and developers concerned about Miasma-style attacks:
- Audit installed packages — Review dependencies for recently published versions from unfamiliar accounts
- Rotate all secrets — Any GitHub tokens, npm access tokens, or CI/CD secrets should be rotated immediately if exposure is suspected
- Enable npm 2FA gating — npm's recently introduced 2FA-gated publishing reduces risk from compromised maintainer accounts
- Monitor for unexpected outbound connections — Miasma-compromised packages often establish connections to attacker-controlled infrastructure
- Lock dependency versions — Use lockfiles and verify package integrity hashes
Timeline of Miasma Activity
| Date | Event |
|---|---|
| June 2026 | Miasma targets Microsoft GitHub repositories (73 repos hit) |
| June 2026 | IronWorm and new Miasma variant hit npm |
| June 10, 2026 | Miasma source code briefly leaked on GitHub |
The brief GitHub exposure of Miasma's source code represents a critical inflection point. Organizations should treat this as an active threat escalation and review their supply chain security posture immediately.