Miasma Worm Goes Open Source: What's Actually Inside It. Complete Analysis

cross-posted from: https://lemmy.world/post/47960526

The Miasma supply chain worm just went open source. Here's an analysis of it... Initial observations - 5-layer obfuscation, GitHub-as-C2, AI tool config hijacking, dead-man switches, and a self-perpetuating PAT flywheel.

Miasma Worm Goes Open Source: What's Actually Inside It. Complete Analysis

https://thecybersecguru.com/news/miasma-open-source-supply-chain-worm-analysis/Open link View original on lemmy.world

Comments2

wizzim

infosec.pub

Very interesting read! One thing I don't understand is this:

The ActionMutator targets custom GitHub Actions by force-pushing trojanized commits to their semver tags. Any downstream workflow that references uses: owner/action@v1 gets the compromised version next time it runs.

Does it mean we should not use Semver when referring to the actions? We should be using the action hash instead?

Or maybe the Semver with a version including the patch level?

WPSteam reply

lemmy.world

This but the thing is, until GitHub fixes it from their end (remember, it was already reported way back on 8th Oct, 2025), things like these will keep on happening