A new wave of cyber threats has emerged in what is being termed the Miasma attack, which has transitioned from targeting Red Hat npm packages to infecting multiple Microsoft GitHub repositories. This sophisticated software supply chain attack shakes the very foundations of trust within the software development community, noteworthy for its ability to propagate through legitimate channels and tools, thus evading traditional security mechanisms.
Cloudsmith researchers have provided critical insights into the origins and ramifications of the Miasma attack. The initiation of this breach stemmed from the compromise of the GitHub account belonging to a Red Hat employee. This breach allowed attackers to leverage the GitHub OpenID Connect (OIDC) token to deploy harmful packages within the @redhat-cloud-services namespace. As a result, over 30 compromised packages made their way into the npm registry, facilitating the theft of credentials, identity information, and secrets related to Continuous Integration/Continuous Deployment (CI/CD) processes.
This worm, referred to as Miasma, has evolved beyond mere package poisoning. The researchers insightfully note that Miasma can compromise code repositories and spread itself through widely-used development tools such as Claude Code, Gemini CLI, Visual Studio Code, and Cursor. Once the malware is activated, it seeks to pilfer credentials, inject malicious workflows into repositories, and establish a persistent presence in development environments.
The extent of the damage caused by this operation has been substantial. A staggering total of 73 GitHub repositories managed by Microsoft fell victim to this attack and were subsequently disabled by the malicious actors. This included critical components like Azure Functions and Durable Task ecosystems. It is believed that the attackers may have exploited previously obtained credentials for this operation, highlighting the ongoing risks associated with compromised accounts.
One of the significant hurdles in identifying the Miasma threat is its use of legitimate credentials and software distribution channels for its operations. The malicious packages involved in this attack contained authentic credentials and were each equipped with unique payloads. This uniqueness makes it exceedingly difficult to employ traditional signature-based detection methods to spot the threats. Alarmingly, there have been observations of similar attacks that target cloud identities, specifically within Azure and Google Cloud environments.
In response to this alarming situation, security researchers have urged affected organizations to take immediate action. They recommend a thorough rotation of the credentials belonging to developers, as well as those concerning CI/CD secrets, cloud access keys, and GitHub tokens. Additionally, auditing developer machines alongside the build environment, reviewing repository permissions, and efficiently managing third-party libraries throughout the software development lifecycle are strongly advised.
Jacob Krell, Senior Director of Secure AI Solutions and Cybersecurity at Suzu Labs, emphasizes the significant lessons learned from this incident. He states, “Microsoft secured the PyPI publishing pipeline after the May 19 durable task compromise. They shifted to internal releases and implemented trusted publishing measures. However, the same contributor account pushed a malicious commit to the same repository on June 5, indicating that its GitHub credentials were not effectively remediated.”
Krell sheds light on how the attack unfolded, mentioning that the disabling of 73 repositories occurred in as little as 105 seconds. This rapid response time indicates the high level of coordination and planning behind the attack. He also highlights the malicious files planted by the worm, such as .claude/settings.json and .cursor/rules/, which trigger code execution whenever a developer accesses the repository using Cursor or Claude Code. A single contributor’s token, with write access to the Durable Task ecosystem, was evidently sufficient to execute these far-reaching repercussions.
The vulnerability in trust relationships within development ecosystems is further analyzed by Rajeev Raghunarayan, Head of Go-To-Market at Averlon. He observes, “In reviewing recent supply chain attacks, it’s clear that each campaign has capitalized on different trust relationships within the development community. For instance, LiteLLM targeted what gets installed, while TanStack hijacked the build process, and now Miasma triggers payloads immediately upon a developer opening a repository in a trusted coding tool.”
Raghunarayan further notes that developer machines, as well as CI/CD pipelines, often house critical cloud keys and service principles, which can be exploited once obtained. This insight leads to a crucial consideration: beyond simply replacing stolen credentials, organizations should scrutinize what systems those credentials could access and whether any vulnerabilities were exploited prior to doing so.
Overall, the Miasma attack stands as a stark reminder of the evolving threat landscape in the realm of software development, urging organizations to reassess their security measures and trust protocols to protect against increasingly sophisticated attacks.