What Is a Software Supply Chain Attack? Full Analysis of the Miasma Worm Incident and an Enterprise Protection Guide

72 seconds. That is how long it took the Miasma worm to go from compromising one Red Hat employee's GitHub account to poisoning all 32 of Red Hat's official npm packages (iThome, 2026). The dependencies your team pulled down with npm install yesterday—are they still trustworthy today? Worse, this worm targets more than the packages themselves: it turned the configuration files of AI development tools like Claude Code and Cursor into infection entry points.

The incident is still unfolding. Since June 8, 2026, the complete attack toolkit has been public on GitHub, available to anyone (The Register, 2026).

This article distills the analyses from multiple media outlets and security firms into a guide enterprises can use directly: what a software supply chain attack is, the full Miasma incident timeline, why SLSA attestations and hash matching all failed this time, and the self-audit and credential protection steps your team should take right now. The entire article takes a defensive perspective and does not cover offensive operational details.

What Is a Software Supply Chain Attack? Understanding the Attack Principle Through the Miasma Incident

A software supply chain attack means the attacker does not breach the target directly, but instead poisons upstream components the target trusts—open-source packages, development tools, CI/CD pipelines. The Miasma incident of June 1, 2026 is a textbook case: after compromising one Red Hat employee's GitHub account, the attackers poisoned 32 official Red Hat npm packages within 72 seconds (iThome, 2026).

Why do attackers prefer this route? Efficiency.

Breaching enterprises directly means attacking them one by one. But poison one popular package, and every downstream project that installs it pulls the malicious code in by itself. Package managers, automated builds, dependency updates—the very mechanisms that make development fast are also the highways along which malicious versions spread fastest.

An analogy: a burglary hits one household at a time; poisoning the water supply affects the whole neighborhood. Supply chain attacks are the latter.

There is an even more uncomfortable truth underneath. A modern project's dependency tree easily runs to hundreds of packages, each with its own maintainers, its own CI pipeline, its own level of account security. You can control your own team's security discipline, but you have no control over whether the maintainer of that fourth-level package in your dependency tree has two-factor authentication turned on. For teams still building up their security fundamentals, we recommend starting with the enterprise information security fundamentals guide to establish basic threat-model concepts—this incident will hit home much harder afterward.

What made the Miasma incident rattle the entire industry is not how badly any single victim suffered, but how fast and how automated it proved this attack path can be. Let's lay out the full timeline.

The Complete Miasma Worm Timeline: From Shai-Hulud to the Open-Sourced Attack Toolkit

The origins of this attack trace back to September 2025, when the self-replicating worm Shai-Hulud first appeared in the npm ecosystem; in May 2026, after the hacker group TeamPCP published its source code, variants proliferated—the most prominent of which is Miasma (iThome, 2026). From open-sourcing to large-scale attack, only one month passed.

The full timeline:

Date	Event	Scale and Details
September 2025	Shai-Hulud worm first appears in the npm ecosystem	The starting point of the self-replicating worm (iThome)
May 2026	TeamPCP publishes the Shai-Hulud source code	Variants proliferate; Miasma is the most prominent
2026-06-01	Miasma compromises one Red Hat employee's GitHub account	32 official Red Hat npm packages infected within 72 seconds (iThome, INSIDE)
2026-06-03	Second npm infection wave	57 npm packages infected simultaneously, spreading more than 286 malicious versions (iThome)
2026-06-05	Microsoft contributor account compromised	Malicious commits planted in Azure/durabletask; after detection, GitHub disabled 73 Microsoft-related repositories in two waves within 105 seconds (The Register)
2026-06-07	Security firm Socket discloses the PyPI attack wave "Hades"	19 packages compromised, 37 malicious versions uploaded; victims mostly bioinformatics research tools (iThome)
2026-06-08 to 06-09	Complete attack toolkit open-sourced	Published on GitHub under the name "Miasma-Open-Source-Release" (The Register, iThome)

A few details deserve a closer look.

The June 5 Microsoft incident did not hit fringe projects: those affected included Azure Functions Host and the entire Durable Task ecosystem, spanning six implementations—.NET, Go, Java, JavaScript, MSSQL, and Python (INSIDE, citing Cloudsmith analysis, 2026). The analysis by StepSecurity CTO Ashish Kurmi also noted that after detecting the anomaly, GitHub executed the takedowns in two waves within 105 seconds (The Register, 2026). The platform's reaction was not actually slow—the attack was simply faster.

The June 7 Hades wave proved this is not an npm-only problem. The attack disclosed by Socket pivoted to PyPI, and the victim packages were mostly bioinformatics research tools—dynamo-release, spateo-release, and others—with cumulative downloads in the hundreds of thousands; the malicious versions force-install the Bun runtime to execute an obfuscated payload (iThome, 2026). Research institutions and academia, rarely considered prime targets for supply chain attacks, took a direct hit this time.

One caveat: this timeline is bounded by publicly verified reporting as of June 10, 2026. With the toolkit now open-sourced, the odds of new attack waves are not low—treat security vendors' latest advisories as the source of truth.

Why Have AI Development Tools Become the New Attack Surface? The Configuration File Injection Mechanism in Claude Code and Cursor

Miasma's most alarming innovation for enterprises is turning AI coding assistants into infection entry points: it injects malicious configuration files into 13 AI development tools, including Claude Code, Gemini CLI, Cursor, and VS Code. The moment a developer opens an infected project, the payload triggers automatically and proceeds to harvest passwords, SSH keys, and cloud credentials (iThome, 2026).

Note what makes that sentence terrifying: you do not need to execute any suspicious file.

A traditional malicious package at least has to wait for you to install and run it. But AI coding assistants, in order to "understand your project," automatically read project-level configuration files the moment you open a folder. A mechanism designed for developer experience became Miasma's trigger. The more permissions AI tools hold and the deeper they integrate, the wider this attack surface grows.

How broad is the harvesting? According to the analysis cited by iThome, the theft targets cover (iThome, 2026):

• Code platforms and package registries: GitHub, NPM, PyPI, RubyGems, JFrog
• CI/CD and infrastructure: CircleCI, Kubernetes, Vault, Docker
• Cloud and AI service credentials: AWS, GCP, Azure (with deep harvesting of GCP and Azure), Anthropic
• Local sensitive data: SSH keys, environment variables, Claude and MCP configuration files

See "Claude and MCP configuration" on that list? The attackers know exactly what hides in AI development tools' configuration files—API keys, MCP server credentials, access to cloud accounts. The Hades wave even disguised its malicious traffic as requests to the Anthropic API, blending into normal AI tool traffic to evade monitoring (iThome, 2026).

Our own team uses Claude Code and Cursor every day, and the first thing we did after the incident broke was run an internal review. The most direct takeaway from that inventory: the number of credentials sitting in AI tool configuration files was higher than we ourselves assumed—MCP servers, cloud CLIs, test API keys, none of which anyone keeps full track of day to day. If your team is also a heavy user of AI development tools, we recommend self-auditing in the same order, paired with the complete guide to API key management and security to shore up your custody rules.

This also echoes OWASP's warning about LLM application risks: the AI toolchain itself is a new attack surface—see the OWASP LLM Top 10 risk analysis for details. As an aside, the more capable and widely adopted AI development tools become, the more valuable this surface gets—as we described in the complete guide to Claude Fable 5, AI assistants are taking over an ever-larger share of the development workflow. Capability and risk have always been the same curve.

Why Did Traditional Supply Chain Defenses Fail This Time? SLSA, Signatures, and Hash IoCs All Fell

INSIDE, citing Cloudsmith's 2026 analysis, delivered the key conclusion: Miasma exploits no software vulnerability in GitHub or npm—it hijacks the trust mechanism. Using stolen legitimate maintainer credentials and normal OIDC tokens to publish, the malicious packages carried valid SLSA provenance attestations, making them hard for traditional scanning tools to distinguish (INSIDE, 2026).

In other words: every line of defense worked as designed, and none of them stopped it.

How can that be? Let's go through the three traditional defense lines one by one.

Defense Line 1: Signatures and Provenance—They Prove "Who Published," Not "the Publisher Wasn't Hijacked"

SLSA provenance is designed to prove that a package was genuinely built by the claimed source through the claimed process. The problem is that Miasma used real maintainer credentials through the real publishing pipeline. Every step of signature verification passed, because the process itself was not forged—what was forged was the person behind the process.

Here lies a blind spot most discussions miss: the industry has spent the past several years concentrating supply chain security on "verifying provenance," but a provenance attestation is only as good as the security of the maintainer account behind it. When the cost of attack drops from "forging a signature" to "stealing a set of credentials," the most expensive link in the trust chain becomes the cheapest breach point. The center of gravity of defense should shift from verifying artifacts back to protecting identity credentials.

Defense Line 2: Hash-Based IoC Matching—Every Infected Version Looks Different

Traditional threat intelligence works by compiling hashes of known malicious files into IoC (indicator of compromise) lists for scanners to match. But Cloudsmith's analysis found that Miasma generates a unique encrypted payload for every infected version, defeating hash matching outright (INSIDE, 2026). The IoC list you receive is always one step behind.

Defense Line 3: C2 Traffic Monitoring—The Command Channel Hides Inside GitHub

Most enterprise firewalls monitor connections to suspicious command-and-control (C2) servers. Miasma simply skipped traditional C2: it uses GitHub's commit search feature as its command channel and maintains 3 independent encrypted channels (iThome, citing SafeDep analysis, 2026). Traffic to GitHub—what development team's firewall would block that?

More menacing still is the Dead Man's Switch design: the moment a victim revokes a stolen token, the worm deletes the entire home directory, leaving the warning "DontRevokeOrItGoesBoom" in commit messages (iThome, 2026). Even the most instinctive response—revoke the credentials immediately—was anticipated and booby-trapped.

---

Not Sure How Large Your Team's Credential Exposure Surface Is?

Most enterprises only discover after an incident that their AI API and cloud credentials are scattered across multiple platforms and projects—they cannot even produce a complete list. CloudInsight helps enterprises inventory their API credential allocation and current usage, turning the exposure surface into a list you can actually read.

👉 Need professional help? Contact us

---

Enterprise Self-Audit and Protection Checklist: SafeDep Recommendations and Credential Rotation in Practice

In response to Miasma, security firm SafeDep issued four concrete self-audit recommendations: check your accounts for suspicious repositories with names containing "Miasma" or "The Spreading Blight," review CI/CD workflows for unauthorized modifications, watch for the "DontRevokeOrItGoesBoom" warning string, and—when in doubt, rotate all credentials (iThome, 2026).

We have expanded those four items into a directly executable checklist, plus the practical ordering for credential rotation. To repeat: everything below is a defensive action—following it crosses no legal or ethical line.

Step 1: Check Your Accounts for Suspicious Repositories

Across your organization's and members' GitHub (and other code platform) accounts, search for repositories with names containing "Miasma" or "The Spreading Blight." The worm creates repositories under the victim's identity as propagation nodes—this is the fastest infection indicator. If you find any, immediately treat it as a full credential compromise.

Step 2: Review CI/CD Workflows for Unauthorized Modifications

Go through the recent commit history of every workflow file: are there changes no one on your team remembers making? Pay particular attention to newly added steps, altered publishing permissions, and extra secret references. CI/CD is the amplifier of supply chain attacks—once a workflow has been tampered with, every subsequent build works for the attacker. For teams without institutionalized pipeline security checks yet, the process governance chapter of the complete DevOps beginner's guide is a good starting point.

Step 3: Watch for the Warning String and Anomalous Commits

Search your organization's commit history for "DontRevokeOrItGoesBoom." The presence of this string means the worm has already run on the machine and the Dead Man's Switch is armed—at which point the order of response becomes delicate (see the next step).

Step 4: The Practical Order of Credential Rotation—Back Up and Isolate First, Then Rotate

"When in doubt, rotate all credentials" is SafeDep's explicit advice, but Miasma's file-deletion mechanism makes "revoke immediately" risky. Our recommended sequence:

1. Fully back up first: back up the affected machine's important data (offline backup—do not sync it back to the cloud)
2. Isolate the machine: cut network access to sever the worm's link to its command channel
3. Rotate credentials from a clean device: replace everything—GitHub, npm, PyPI, cloud platforms, AI API keys—starting with the highest-privilege ones
4. Verify and monitor: after rotation, watch login records and API usage on each platform to confirm no residual access remains

Should you handle a suspected-infected machine yourself? If your organization has no incident response experience, bring in a professional security vendor for this step; for endpoint-level detection and removal, see the EDR and MDR services guide. For routine dependency health checks, schedule the scanning workflow from the complete vulnerability scanning guide into your regular operations—scanning would not have caught Miasma this time, but it catches a long list of far more common known threats, and the fundamentals still matter.

What This Means for Enterprises Buying Cloud and AI Services: Credential Governance and Billing Isolation

Do not assume this is only an engineers' problem. The Hades wave's theft list spans AWS, GCP, Azure, and Anthropic cloud and AI service credentials, with deep harvesting of GCP and Azure (iThome, 2026)—if your enterprise purchases cloud or AI API services at all, your assets are on that list.

For buyers, this incident assigns at least three clear pieces of homework.

Homework 1: Isolate API Keys by Project and Grant Least Privilege

One master key for everything means betting the entire company's quota and data on a single credential. The correct approach is to issue keys per project and per environment, each with its own usage caps and permission scope—so any single leak is contained to one compartment. For key application, custody, and rotation workflows, the practices in the complete OpenAI API key guide apply across platforms.

Homework 2: Centralize Billing Visibility—Anomalous Usage Is the Early Warning of a Credential Leak

Think about it: if your Anthropic API key were stolen, how long would it take you to notice? Hades disguised its malicious traffic as requests to the Anthropic API (iThome, 2026)—for victims, the first observable signal is often not a security alert but unexplainable usage on the bill. If multi-platform billing is scattered across different cards and different accounts, you will never see that signal. Consolidating usage across platforms into a single view is itself a layer of security defense—for tooling options, see the AI API management platform comparison.

Homework 3: Write Credential Governance into Policy, Not Personal Habit

From a reseller's vantage point, the most common blind spot we see when helping enterprises consolidate multi-platform billing is not technical—it is that "nobody knows how many keys the whole company has." Keys belonging to departed employees still alive, test-project keys never rotated, the same key circulating across three departments—these are not rare cases but the norm. Credential lifecycle management (creation, authorization, rotation, retirement) should be policy, and the asset management framework in the ISO 27001 information security management guide is a ready-made starting point. For the compliance side of the overall procurement process, walk through the complete enterprise AI API procurement guide item by item.

Supply chain attack protection sounds like a big topic, but for buyers the on-the-ground actions come down to three things: isolation, visibility, institutionalization.

---

Multi-Platform API Accounts Scattered Everywhere, and No One Can Say Who Uses Which Key?

CloudInsight provides unified multi-platform billing management: AWS, GCP, Azure plus OpenAI, Claude, and Gemini API credentials isolated per project, usage centrally visible, anomalies spotted at a glance. Government uniform invoices and formal contracts—procurement and governance handled in one place.

👉 Consult on a solution now｜Add us on LINE for real-time consultation

---

Frequently Asked Questions

Q: What is a software supply chain attack?

A: Instead of breaching the target directly, the attacker poisons upstream components the target trusts, such as open-source packages, development tools, or CI/CD pipelines. In the 2026 Miasma incident, hackers compromised one Red Hat employee's GitHub account and poisoned 32 official npm packages within 72 seconds; downstream projects automatically pulled in the malicious code when installing them (iThome, 2026).

Q: How does the Miasma worm infect developer machines?

A: It injects malicious configuration files into 13 AI coding assistants, including Claude Code, Gemini CLI, Cursor, and VS Code. When a developer opens an infected project it triggers automatically, then harvests passwords, SSH keys, and cloud credentials (iThome, 2026). No suspicious file needs to be executed—the act of opening the project is itself the trigger.

Q: My project doesn't use Red Hat or Microsoft packages—do I still need to self-audit?

A: Yes. The second wave on June 3 simultaneously infected 57 npm packages and spread more than 286 malicious versions; the Hades wave on June 7 then pivoted to 19 PyPI packages, with victims mostly research tools downloaded hundreds of thousands of times (iThome, 2026). The infection spans ecosystems and keeps expanding—any layer of your dependency tree could bring it in.

Q: Can I just revoke a stolen token directly? I heard it triggers file deletion?

A: Miasma carries a Dead Man's Switch: when a victim revokes a stolen token, the worm deletes the entire home directory, leaving the "DontRevokeOrItGoesBoom" warning in commit messages (iThome, 2026). Back up offline and isolate the affected machine first, then rotate credentials from a clean device; organizations without incident response experience should seek help from a professional security vendor.

Q: How can an enterprise defend against the next supply chain attack wave?

A: SafeDep recommends four self-audits: check accounts for suspicious repositories with names containing "Miasma" or "The Spreading Blight," review CI/CD workflows for unauthorized modifications, watch for the "DontRevokeOrItGoesBoom" string, and rotate all credentials when in doubt (iThome, 2026). In the medium to long term, implement per-project API key isolation, centralized usage monitoring, and an institutionalized credential lifecycle.

The Next Step for Supply Chain Trust: Treat Credentials as Continuously Managed Assets

Look back over the whole incident: from the 72-second takedown of Red Hat on June 1, to the attack toolkit being open-sourced as "Miasma-Open-Source-Release" on June 8 (The Register, 2026), Miasma took just over a week to prove one thing: the trust mechanism itself can be weaponized, and the barrier to attack is dropping fast.

What does an open-sourced toolkit mean? It means the next wave of attackers will not need TeamPCP's level of skill.

But panic accomplishes nothing—action does. Boil this article down to three things:

1. Self-audit today: suspicious repositories, CI/CD changes, the warning string—all three checks can be done within an hour
2. Finish rotation this week: follow the "back up → isolate → rotate → verify" sequence and replace every credential you are not sure about
3. Build governance this quarter: per-project key isolation, centralized usage visibility, credential lifecycle written into policy

Honestly, not a single defensive action in this incident is a new invention—they are all fundamentals the security community has preached for years. The only difference is that Miasma staged a 72-second demonstration of the cost of not doing them, for everyone to see. So—what day does your team start?

---

🎯 Take Action Now

Want to get credential governance for AI API and cloud procurement right in one pass? CloudInsight provides enterprise-grade procurement agency services: multi-platform credentials isolated per project, unified billing management, government uniform invoices, and Chinese-language technical support.

👉 Consult on enterprise plans now｜Join our official LINE account

---

Further Reading

• Complete Guide to API Key Management and Security
• AI API Management Platform Comparison and Selection
• Complete Guide to Applying for and Safeguarding OpenAI API Keys
• OWASP LLM Top 10 Risk Analysis
• ISO 27001 Information Security Management Guide
• EDR and MDR Services Guide
• Complete Vulnerability Scanning Guide
• Complete Enterprise AI API Procurement Guide
• Complete Guide to Claude Fable 5

References

• Hacker group spreads Miasma worm in software supply chain attack; Red Hat and Microsoft hit in succession — iThome (2026-06)
• Socket discloses new PyPI attack wave Hades; bioinformatics research tools victimized — iThome (2026-06)
• Microsoft GitHub account compromised by Miasma; Azure and AI developer supply chain on alert — INSIDE (2026-06)
• GitHub nukes 70+ Microsoft repos amid suspected worm attack — The Register (2026-06-08)
• Miasma supply chain attack toolkit goes public on GitHub — The Register (2026-06-09)