Miasma
Miasma is a self-propagating software supply-chain worm and credential-stealing attack framework, also tracked as “The Spring Blight,” and described as an evolution or variant of the earlier Shai-Hulud / Mini Shai-Hulud malware lineage. Reporting links it to a broader cluster that also includes Hades, and some sources associate the lineage with TeamPCP, although direct attribution of all Miasma activity remains unclear. The malware has targeted developer ecosystems, CI/CD pipelines, GitHub repositories, and package registries including npm, PyPI, RubyGems, and JFrog Artifactory. Public reporting also links it to compromises affecting Red Hat npm packages, Microsoft GitHub repositories, the LeoPlatform and RStreams npm ecosystems, and a Go module tied to the Verana Blockchain project.
Miasma infects developer workstations and CI runners, steals a broad set of credentials and secrets, and uses those credentials to propagate by modifying legitimate repositories and publishing trojanized package versions. Reported targets include GitHub personal access tokens, GitHub Actions secrets and OIDC tokens, npm and PyPI tokens, AWS, Azure, and Google Cloud credentials, Kubernetes service account tokens and configs, HashiCorp Vault credentials, SSH private keys, Docker auth files, JFrog Artifactory credentials, 1Password data, GPG material, .env files, CI secrets, and AI coding tool configurations for tools such as Claude, Cursor, Gemini, Copilot, Kiro, and Cline. Multiple reports state that it also scrapes GitHub Actions runner memory on Linux to extract secrets not exposed as environment variables.
Propagation and execution tradecraft varies by wave. Earlier variants used npm lifecycle hooks, while later variants used binding.gyp / node-gyp execution during npm install to avoid visible install or postinstall scripts. Several reports describe a Bun-based multi-stage payload: malicious packages replaced normal code with a heavily obfuscated JavaScript loader, downloaded and executed the Bun runtime, wrote the worm payload to a temporary path, executed it with bun run, and deleted the temporary file. The malware has also been observed pushing weaponized GitHub Actions workflows, abusing GitHub OIDC trusted publishing to release malicious npm packages with valid SLSA provenance attestations, poisoning repositories through orphan commits and branch mutations, and targeting source-repository execution paths in IDE or AI coding assistant environments rather than relying only on package-manager hooks.
Miasma commonly exfiltrates stolen data through GitHub rather than traditional dedicated C2 infrastructure. Reports state that it creates public repositories using victim accounts, uploads encrypted JSON results, and uses recognizable campaign markers such as the repository description “Alright Lets See If This Works.” Additional strings linked to the malware family include “RevokeAndItGoesKaboom,” “TheBeautifulSandsOfTime,” “thebeautifulmarchoftime,” and “firedalazer.” Some reporting states that Miasma polls GitHub commit search or public commits for commands, configuration, payload locations, or attacker-controlled tokens. Public reporting also describes a destructive dead-man-switch behavior in some variants: when a stolen GitHub token used for exfiltration is revoked, the malware may trigger deletion of files in the victim’s home and Documents directories, using a systemd service on Linux or a LaunchAgent on macOS, with activity persisting for up to 72 hours.
Observed evasion and anti-analysis features include heavy obfuscation, layered encryption such as ROT-style encoding and AES-GCM, polymorphic or per-build payload variation, checks for security tools including CrowdStrike and SentinelOne, and a Russian locale guard or killswitch. Reported malicious artifacts and indicators include binding.gyp, .github/setup.js, _index.js, .claude/setup.mjs, .claude/settings.json, .cursor/rules/setup.mdc, .gemini/settings.json, and .vscode/tasks.json. Reported hashes directly associated with Miasma-related reporting include SHA-256 ceff7c51d70832c3ec8dd2744b606a23b3c924ef664ae23439b9b742ea154108, 9f93d77d32833a515bc406c46da477142bb1ac2babeecb6aa42f98669a6db015, 6331d1511783dcb1158fb54775f563e90399b3a2a81a584d3cba9a77f63d15a7, 58215f1d737443fd782f91c57ec10ad58109a96470054707fc6bfd6358abe468, and 3f3f42d072bd36860ab7bd7fb5e10ac0d22c741c13c89505ccd6ec0ea572eea7.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
On June 5, 2026, the Miasma worm campaign reached Microsoft's Azure GitHub organizations.
Groups observed using it
6 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
An infostealer malware dubbed Miasma... The malware as we’ve already discussed steals GitHub tokens, npm tokens, AWS, GCP & Azure cloud credentials, and local environment information.
The GitHub fingerprint the attackers left behind – a repository description reading “Alright Lets See If This Works” turned up on over 320 infected repositories before researchers began pulling the thread. That string is not something random. In the Shai-Hulud / Miasma family of supply chain worms, the description stamped onto attacker-created GitHub dead-drop repos has functioned as a campaign signature since the original wave hit in September 2025.
The GitHub fingerprint the attackers left behind – a repository description reading “Alright Lets See If This Works” turned up on over 320 infected repositories before researchers began pulling the thread. That string is not something random. In the Shai-Hulud / Miasma family of supply chain worms, the description stamped onto attacker-created GitHub dead-drop repos has functioned as a campaign signature since the original wave hit in September 2025.
The GitHub fingerprint the attackers left behind – a repository description reading “Alright Lets See If This Works” turned up on over 320 infected repositories before researchers began pulling the thread. That string is not something random. In the Shai-Hulud / Miasma family of supply chain worms, the description stamped onto attacker-created GitHub dead-drop repos has functioned as a campaign signature since the original wave hit in September 2025.
An infrastructure provider's networks have been breached and they were dealing with the Miasma worm. That worm, as it turns out, is pretty hard to catch and delete because it is self-spreading through IDE configuration settings and through AI assisted environments.
An infrastructure provider's networks have been breached and they were dealing with the Miasma worm. That worm, as it turns out, is pretty hard to catch and delete because it is self-spreading through IDE configuration settings and through AI assisted environments.
Techniques & procedures
25 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
1 technique
Resource Development
Initial Access
6 techniques
Initial Access
If a simonecorsi-controlled workflow executed the compromised action with npm publishing credentials, GitHub tokens, or deployment permissions available to the runner, the attacker could have gained the access needed to publish malicious @immobiliarelabs package versions or trigger follow-on GitHub Actions activity.
It requests id-token: write, which grants access to a GitHub OIDC token that can be exchanged for npm publish credentials via npm’s trusted publishing.
This appears to be a continuation of the activity we reported yesterday involving LeoPlatform and RStreams npm packages, GitHub Actions workflow abuse, AI-agent persistence, and the Verana Go module/source-repository compromise. The new ImmobiliareLabs activity follows the same broader campaign pattern: compromise trusted developer infrastructure, publish malicious package versions...
The malicious releases were published in a tight window on June 26, 2026... Multiple historical versions were republished with malicious artifacts, suggesting the threat actor attempted to maximize exposure across users pinned to older major versions.
Execution
3 techniques
Execution
The workflow is a weaponized GitHub Actions pipeline... The workflow triggers on every push to any branch.
Persistence
6 techniques
Persistence
The workflow is a weaponized GitHub Actions pipeline... The workflow triggers on every push to any branch.
If a simonecorsi-controlled workflow executed the compromised action with npm publishing credentials, GitHub tokens, or deployment permissions available to the runner, the attacker could have gained the access needed to publish malicious @immobiliarelabs package versions or trigger follow-on GitHub Actions activity.
It requests id-token: write, which grants access to a GitHub OIDC token that can be exchanged for npm publish credentials via npm’s trusted publishing.
GitHub tokens can then be used to create repositories, upload encrypted data, modify workflows, poison source repositories, or prepare additional propagation paths. GitHub repository activity from services-admin-pearhealthlabs shows hundreds of public repositories with randomized names...
Privilege Escalation
5 techniques
Privilege Escalation
The workflow is a weaponized GitHub Actions pipeline... The workflow triggers on every push to any branch.
It also scrapes GitHub Actions runner memory before committing the stolen data to a GitHub repository created through the victim's account
If a simonecorsi-controlled workflow executed the compromised action with npm publishing credentials, GitHub tokens, or deployment permissions available to the runner, the attacker could have gained the access needed to publish malicious @immobiliarelabs package versions or trigger follow-on GitHub Actions activity.
Stealth
6 techniques
Stealth
Root index.js is a single-line Caesar-shift loader followed by AES-128-GCM decryption and multi-stage payload delivery.
The same tokens pushed weaponized GitHub Actions workflows, disguised as Dependabot, to at least three repos... And it is named “Dependabot Updates” to blend in with legitimate dependency PRs. A follow-up commit, this time impersonating dependabot[bot]...
It also scrapes GitHub Actions runner memory before committing the stolen data to a GitHub repository created through the victim's account
If a simonecorsi-controlled workflow executed the compromised action with npm publishing credentials, GitHub tokens, or deployment permissions available to the runner, the attacker could have gained the access needed to publish malicious @immobiliarelabs package versions or trigger follow-on GitHub Actions activity.
Defense Impairment
1 technique
Defense Impairment
Credential Access
5 techniques
Credential Access
StepSecurity also reported that the payload targeted GitHub OIDC tokens, GitHub personal access tokens, and CI/CD secrets... Exfiltrates stolen secrets via the GitHub API to attacker-controlled repositories.
Payload steals developer and CI/CD secrets: .env files, npm/PyPI/GitHub/Slack/Twilio/AWS/Azure/GCP/Vault tokens, SSH keys, Docker credentials, Kubernetes configs.
Static string analysis of the decrypted payload reveals... Credential theft across npm, GitHub (PATs, OIDC, JWTs), PyPI, RubyGems, Kubernetes service account tokens, HashiCorp Vault, AWS (IAM keys, STS, IMDS, Secrets Manager, SSM), 1Password, JFrog Artifactory, and SSH private keys.
The malware also tries to republish any packages the victim is allowed to maintain, sidestepping npm's two-factor authentication and giving itself another route to spread.
the malware targets developer workstations and CI runners, hunting for AWS, Azure, and Google Cloud credentials alongside GitHub personal access tokens, Kubernetes secrets, HashiCorp Vault credentials, 1Password data, npm publishing credentials, and other sensitive information
Discovery
1 technique
Discovery
Collection
1 technique
Collection
Command and Control
1 technique
Command and Control
IOCs tracked for this family
80 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
56 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A malware component or variant in the Shai-Hulud tooling lineage that executes through developer workflow abuse across npm and Go ecosystems, using project configuration and install-time execution patterns rather than only package-manager hooks.
Supply-chain malware delivered via malicious npm packages and a Go module. It abuses binding.gyp/node-gyp for stealthy execution, deploys an obfuscated JavaScript loader and Bun-based payloads, steals developer credentials and secrets, and propagates by poisoning repositories and developer workflows.
A modular framework used for multi-ecosystem propagation in software supply-chain attacks, with credential harvesting and propagation capabilities.
A self-propagating npm supply-chain malware/worm that poisons legitimate packages, targets developer workstations and CI runners, steals cloud, GitHub, Kubernetes, Vault, 1Password, and npm credentials, scrapes GitHub Actions runner memory, exfiltrates data via GitHub repositories created through victim accounts, and attempts to republish packages the victim can maintain to spread further.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.