TeamPCP, a hacker organization that previously focused on NPM ecosystem supply chain attacks, released the worm Mini Shai-Hulud (Mini Sandworm) as an open source. This type of worm has self-replicating characteristics. After successfully stealing sensitive credentials in the development environment, it will directly call the credentials to connect to remote resources and continue to infect and spread. Initially, Mini Shai-Hulud mainly targeted the NPM ecosystem.
Now a variant version of the worm Miasma is also released as open source:
Miasma is a variant version of the worm based on Mini Sandworm. The worm is also used to launch supply chain attacks, mainly targeting the NPM ecosystem and GitHub. Its core behavior includes automatically scanning local and cloud environments after installation and stealing various sensitive credentials, such as AWS, GCP, Azure, GitHub Token, SSH keys, NPM tokens, PyPI tokens, etc.
After successfully stealing credentials, Miasma will continue to infect and spread backwards along these credentials. For example, after stealing the NPM credentials of developers, it will use the credentials to publish software packages carrying the worm itself. When downstream software installs these virus-carrying software packages, it will continue to activate the worm and continue to steal credentials and spread. The scary thing about this worm is that it has a very strong self-replication ability, so the infection link is difficult to completely cut off.
On GitHub, a developer named Yang Anyong released the Miasma worm as an open source under his personal account and said that this was to imitate the open source spirit of TeamPCP. The warehouse code was licensed under the MIT license so that other hackers could download the code and use it directly. However, the warehouse was soon deleted and the entire developer account was banned. This was obviously an operation performed by GitHub.
Of course, there is a high probability that this developer's account was stolen and used to publish worms as an open source. After all, this developer is quite active, and has a registered personal website on his homepage. This is a kind of flattery. After all, if the worm is really open source, he should register a small account instead of using his real account to publish.