Developers urged to remain vigilant amid continued Miasma malware risks
The Miasma malware package uses legitimate OIDC tokens, making it indistinguishable from routine code updates
Security firms are warning that self-replicating malware known as Miasma has spread to 73 Microsoft GitHub repos across environments, including Microsoft Azure and Durable Task.
Miasma is a new and improved variant of Mini Shai-Hulud from the threat group TeamPCP, and, according to Cloudsmith, initially struck the @redhat-cloud-services npm namespace by compromising a Red Hat employee’s GitHub account.
"By pushing unreviewed orphan commits to internal repos, the threat actors injected a minimal workflow that requested GitHub’s OIDC tokens. This registry poisoning workflow in early June executed an obfuscated payload that published 32 malicious package versions to the npm registry," said the firm.
"Crucially, because it used legitimate OIDC tokens, the malicious releases carried valid SLSA provenance attestations. To standard registry scanners, the malicious updates were entirely indistinguishable from legitimate, routine code updates."
It's not known how many times the affected tools have been downloaded, but Microsoft said it's notified a 'small number' of customers who may have done so.
Under the hood of Miasma malware
What's special about the Miasma worm, said Cloudsmith, is that it doesn't exploit any software vulnerability in GitHub or npm, but instead exploits the underlying trust model of the modern engineering ecosystem.
Compromised developer credentials led to a legitimate GitHub OIDC token being requested, followed by a malicious build being published with valid SLSA provenance.
This ultimately led to conventional scanners seeing it as a routine trusted update.
On top of this, because Miasma generates a uniquely encrypted payload for each individual infection, traditional hash-based IOCs are functionally useless for broad detection, as the file signature changes with every single package version.
"While previous iterations of the Mini Shai-Hulud malware have focused purely on local secret scraping, the Miasma worm appears to have advanced data collectors specifically engineered for cloud identities in GCP and Azure," the researchers said.
"It attempts to harvest every cloud identity the infected developer machine and CI/CD runners have access to, proving a clear intent from the threat actors to leverage access away from the codebase and directly into live cloud environments."
How to protect your organization
If your company operates within the Azure or Red Hat ecosystems, Cloudsmith said to assume secrets exposure and rotate.
Miasma specifically hunts for developer credentials, meaning that everything on a compromised machine or CI/CD pipeline may have been been leaked.
"Developers are high-value targets because they sit at the intersection of source code, cloud infrastructure, AI platforms and production systems. Compromising a trusted package or development workflow can give attackers access that is far harder to obtain through traditional intrusion methods," commented Ilkka Turunen, field CTO at Sonatype.
With this incident having reached users of platforms such as Claude and Gemini, Turunen noted it shows how "interconnected modern software ecosystems have become" and should serve as a warning.
"An attack that begins with a seemingly insignificant open source package can quickly cascade across organizations, platforms and users," Turunen commented. "Organizations need to treat the software supply chain as part of their security perimeter. The attackers already do.”
FOLLOW US ON SOCIAL MEDIA
Follow ITPro on Google News and add us as a preferred source to keep tabs on all our latest news, analysis, views, and reviews.
You can also follow ITPro on LinkedIn, X, Facebook, and BlueSky.
-
Euro-Office ‘sovereignty’ claims questioned in scathing open letter by LibreOffice maintainersNews The developers behind LibreOffice have questioned Euro-Office’s sovereignty credentials and use of a Microsoft-based document format
-
Kaseya cuts the ribbon on new MSP Success program in partner growth driveNews The initiative combines digital marketing, peer collaboration, and community engagement tools to help partners tackle customer acquisition challenges
-
Claude users beware, hackers are using a fake website to dupe developers and deliver malwareNews 'Beagle' is deployed through a Dynamic Link Library (DLL) sideloading chain, and gives attackers remote access to the system
-
North Korean hackers are duping freelance developers with fake interviews to steal cryptocurrency and deliver malware — Sophos warns the 'Nickel Alley' group is using LinkedIn, Upwork, and Fiverr to target victimsNews A fake interview process uses coding tests and repo downloads to deliver malware
-
‘The build pipeline is becoming the new frontline’: Axios npm compromise highlights growing software supply chain risks, experts warnNews Cyber criminals exploited a hijacked maintainer account to compromise one of the world's most widely used JavaScript libraries
-
'It's destructive, not ransomware': Security experts weigh in on motivation behind Stryker cyber attackNews The attack on medical tech company Stryker has severely impacted operations globally
-
Thousands of Asus routers are being used to fuel a massive cyber crime spreeNews Black Lotus Labs has spotted a massive botnet of Asus routers built by malware that uses a common peer networking tool
-
The rise of teen hackers ‘makes for a good headline’, but cyber crime activities peak later in lifeNews With family responsibilities and mortgages to pay, it's not teenagers dishing out malware or carrying out cyber extortion
-
DIY hackers are turning to ‘flat-pack’ malware components to speed up attacks and cut costsNews While these malware campaigns are very basic, researchers noted “they still work”
-
‘They are able to move fast now’: AI is expanding attack surfaces – and hackers are looking to reap the same rewards as enterprises with the technologyNews Potent new malware strains, faster attack times, and the rise of shadow AI are causing havoc
