graphwiz.aiDependency Graph Security: How the Miasma Worm Exploits Supply Chain Trust Graphs
The Miasma worm compromised 73 Microsoft GitHub repositories across the Azure, Azure-Samples, Microsoft, and MicrosoftDocs organisations — and its full attack toolkit is now open source on GitHub. This is not a theory or a proof of concept. It is a self-replicating supply chain worm evolved from TeamPCP's "Mini Shai-Hulud," and its source code was published on 8 June 2026 via previously compromised developer accounts. Within hours, copycat campaigns began hitting PyPI and npm. The worm spreads along dependency graphs, and understanding that topology is the key to defending against it.
What Miasma Is
Miasma is a full attack toolkit targeting PyPI, npm, RubyGems, JFrog Artifactory, GitHub Actions, and SSH. It is built around an architectural innovation called "Comment-and-Control": the entire command infrastructure runs on GitHub's public infrastructure, with no custom C2 servers, no suspicious domains, and no traffic leaving trusted platforms.
The worm originated as an evolution of TeamPCP's "Mini Shai-Hulud," which was itself open-sourced in May 2026. Miasma refines the same core idea into a production-grade weapon. Socket.dev tracked 473 affected package artifacts as of 9 June 2026. Microsoft temporarily removed several repositories and GitHub disabled access to compromised accounts.
The Three C2 Channels
Miasma operates three independent C2 channels, each using GitHub's public commit search API. Each channel has different validation and decryption keys, so compromising one does not reveal the others.
- DontRevokeOrItGoesBoom: This channel discovers attacker-controlled Personal Access Tokens (PATs) and exfiltrates encrypted credentials via commit messages using AES-256-CBC encryption.
- TheBeautifulSandsOfTime: Delivers JavaScript payloads embedded in commit content, which are passed to
eval()at runtime for immediate command execution. - firedalazer: Delivers Python script URLs embedded in commits, enabling persistent monitoring and long-lived remote access.
All three channels share the same fundamental technique: they search GitHub commits using publicly accessible API endpoints, decrypt payloads using channel-specific keys, and execute the resulting commands in the compromised environment. There are no custom domains to block, no IP addresses to firewall, and no certificate fingerprints to detect.
The Dependency Graph Problem
Modern software ecosystems are directed graphs. Every package declares dependencies, which declare their own dependencies, and the transitive closure of these relationships forms a dense, rapidly growing graph. npm has over 2 million packages. PyPI has more than 500,000. Each one can pull in dozens or hundreds of transitive dependencies.
A single compromised node at a high-centrality position — a widely used linter, logger, or build tool — exposes every downstream consumer. When Miasma lands on a maintainer's machine or infiltrates a CI/CD pipeline, it can poison any package that maintainer publishes. The trust edge between the maintainer and every downstream package creates a blast radius that graph theory can quantify.
Graph Theory Concepts Mapped to Supply Chain Attacks
| Concept | Graph Definition | Supply Chain Attack Mapping |
|---|---|---|
| Node | A vertex in the graph | A package, repository, or maintainer account |
| Edge | A directed relationship between nodes | A dependency declaration, trust relationship, or publish permission |
| Degree centrality | Number of edges incident to a node | Popular packages have high degree; compromising one exposes all dependents |
| Shortest path | Minimum edges between two nodes | How the worm reaches critical infrastructure through transitive dependencies |
| Reachability | All nodes reachable from a given node | Blast radius: every package that depends (directly or transitively) on a compromised package |
| Graph partition | Separating a graph into disjoint subgraphs | Isolating compromised packages and their dependents to contain an incident |
| Cut vertex | A node whose removal disconnects the graph | A single package whose removal from the ecosystem would split the dependency graph — a high-value target |
Defence Through Graphs
Knowledge graphs can model these dependency relationships explicitly. Neo4j, with its property graph model and APOC plugin support, is a natural platform for dependency graph security analysis. The query language — Cypher — makes reachability analysis a native operation rather than an engineering challenge.
MATCH (pkg:Package {name: "miasma-infected-pkg"})-[:DEPENDS_ON*1..5]->(downstream:Package)
RETURN downstream.name, downstream.ecosystem,
length(shortestPath((pkg)-[:DEPENDS_ON*]->(downstream))) AS depth
ORDER BY depth
This query traces all packages reachable within five levels of transitive dependency from a known compromised package. The variable-length path traversal ([:DEPENDS_ON*1..5]) and the shortestPath function are both native Cypher operations. In a relational database, this would require recursive CTEs or application-level traversal; in a graph database, it is a single declarative statement.
Tools such as Socket.dev, Endor Labs, and SafeDep's Package Metadata Graph (PMG) already use graph-based dependency analysis for vulnerability detection. The principle is the same: model the ecosystem as a graph, index the nodes, and query relationships to determine blast radius, attack paths, and isolation strategies.
The Copycat Effect
Miasma was open-sourced on 8 June 2026. Within hours, the "Hades" wave hit PyPI with 37 malicious wheel artifacts across 19 packages, using *-setup.pth auto-execution to run code on pip install. On the same day, IronWorm appeared on npm — a Rust-based information stealer with an eBPF rootkit embedded in more than 50 poisoned packages.
This rapid proliferation proves that open-sourcing attack toolkits creates immediate, real-world harm. The knowledge required to weaponise a supply chain attack drops from "months of development" to "hours of copy-paste." Each copycat variant adds new evasion techniques drawn from the same playbook, and the dependency graph propagates them faster than any signature-based detection system can respond.
The incident highlights a structural asymmetry: attackers can publish malicious packages in minutes, gaining immediate access to the entire transitive dependency chain of anyone who installs them. Defenders must analyse the same graph in reverse, tracing every potential path from known-bad packages to their own infrastructure, updating blocklists faster than attackers can rotate hashes and version numbers.
Miasma in the Broader Landscape
The behavioural shift that Miasma represents is significant. Traditional network-based detection assumes that attacks involve external infrastructure — command-and-control servers on unfamiliar IP ranges, DNS requests to suspicious domains, or TLS certificates with unusual characteristics. Miasma runs entirely inside GitHub, using its public API for C2, its commit messages for data exfiltration, and its issue trackers for configuration updates. None of this traffic leaves the GitHub domain, so none of it triggers network-based alerts.
The same pattern appeared in the "Comment and Control" attacks against AI coding agents in GitHub Actions, and the MCPwn vulnerability in nginx-ui. The attack surface is shifting from the network perimeter to the software supply chain, and the graph of dependencies is the new battlefield.
Closing
The dependency graph is the attack surface. Traditional perimeter security — firewalls, intrusion detection, endpoint protection — cannot protect against threats that enter through build pipelines, CI/CD runners, and package managers. By the time a malicious package appears on PyPI or npm, it has already reached every system that depends on it.
Graph-aware security — mapping the dependency graph, monitoring changes to its topology, running reachability queries to determine blast radius, and using graph partition techniques to isolate compromised subgraphs — is the only defence that scales with the problem. Miasma is not the last supply chain worm. It is the first that weaponised the dependency graph explicitly. The next one will be faster, and it will have learned from this source code.