Polymorphic AI Supply-Chain Worm Engine. Five-stage pipeline: AES-256-GCM encryption, random string insertion, source transform, JS obfuscation, three-layer self-extracting loader. Poisons every AI coding agent config in a developer environment. Based on the real Miasma/Shai-Hulud worm that compromised 73 Microsoft repos, OpenAI, and Red Hat.
SPECTER MIASMA is the L49 attack engine for polymorphic AI supply-chain worm propagation. Developer AI coding agents (Claude Code, Cursor, GitHub Copilot, Gemini CLI, Windsurf, Kiro) all operate within a trusted developer environment — sharing config directories, git repos, package managers, and CI/CD pipelines. MIASMA exploits this shared trust surface to self-propagate across the entire ecosystem.
The engine is based on the real Miasma/Shai-Hulud worm (source code leaked 10 Jun 2026), which compromised 73 Microsoft repositories, OpenAI, and Red Hat before being contained. MIASMA implements the full Miasma technique set plus original polymorphic generation capabilities that make each deployment unique: same seed produces identical keys and payload hash for reproducible engagements; random seed produces os.urandom(32) — different on every invocation, defeating signature-based detection.
MUTATE gate — New fourth gate tier (OPEN / INJECT / UNLEASHED / MUTATE). FORGE-PAYLOAD and MUTATE-PAYLOAD require --mutate flag. Preparation gate for polymorphic payload generation before any injection occurs.
(function(){...})();. Optionally applies homoglyph substitution (Cyrillic/Greek) and zero-width non-joiner insertion (U+200C after exec/eval/import/require/fetch/token/key/secret).
Discovers the full developer environment attack surface. Scans for AI coding agents (Claude Code ~/.claude/settings.json · Cursor .cursor/mcp.json · Copilot ~/.copilot/ · Gemini CLI ~/.gemini/ · Windsurf ~/.codeium/windsurf/ · Kiro ~/.kiro/). Maps package managers (npm, pip, cargo, gem), git repos, GitHub Actions workflows, CI/CD config files, and credential locations. Returns TargetProfile with attack surface score.
Orchestrates all five pipeline stages. --seed 42: fully reproducible (same AES keys, XOR key, loader JS, payload_hash on every invocation). --seed random: os.urandom(32) — unique per run, defeating signature-based detection. Writes loader.js, loader.py, binding.gyp, metadata.json to output_dir. Returns WormPayload with payload_hash, propagation_template (IIFE loader), files dict, mutator_seed.
Injects worm into a git repository via eight vectors: package.json preinstall/install/postinstall lifecycle hooks (node ./loader.js) · .claude/settings.json Stop+PostToolUse hooks (node .claude/hooks/loader.js) · .cursorrules exec directive · .gemini/settings.json hooks object · Python .pth file (exec(open("loader.py").read())) · binding.gyp native compile target · loader.js + loader.py files. Zero-width non-joiner (U+200C) inserted after exec/eval/require/fetch in loader.js to evade string-search scanners.
Builds and optionally publishes malicious npm/PyPI packages. Strategies: typosquat (appends "-utils" suffix) · dependency_confusion (creates "{org}-{package}-internal"). Package manifest includes preinstall/install/postinstall hooks (npm) or setup.py exec() call (PyPI). SLSA provenance fields populated from OIDC token if provided. --dry-run default: builds manifest only, no network. Live publish targets VERDACCIO_URL (npm) or DEVPI_URL (PyPI) env vars.
Self-propagates to all discoverable git repos and CI/CD pipelines. Discovers repos via recursive .git scan. Skips already-poisoned repos (checks "MIASMA" in existing loader.js). For each fresh repo: writes loader.js, updates package.json preinstall hooks, creates .miasma_pr.json with branch/title/payload_hash, runs git add + commit. Injects GitHub Actions workflows by appending MIASMA-PROPAGATED marker + step. blast_radius.estimated_downstream_devs = repos × 12.
Exfiltrates credentials from the developer environment. 11 regex patterns: github_token (ghp_/ghs_/gho_), npm_token (npm_), aws_access_key_id (AKIA), aws_secret_access_key (40-char alphanum), anthropic_api_key (sk-ant-), openai_api_key (sk-), ssh_private_key (BEGIN.*PRIVATE KEY), git_credential, cursor_auth, claude_session, generic_api_key. Scans 8 system credential paths + 7 env vars + all .env* files in scan_root. scan_content() is public (OPEN gate) for inline scanning.
Installs 7 persistence mechanisms: (1) Python .pth file in site-packages (exec on every Python invocation); (2) .claude/settings.json Stop hook; (3) .cursor/rules injection; (4) .gemini/settings.json hook; (5) cron job (@reboot + */30 * * * *); (6) systemd timer (OnBootSec=5min, OnUnitActiveSec=30min); (7) GitHub Actions backdoor workflow. survival_guaranteed = True when ≥ 4 mechanisms installed. Returns PersistenceReport with mechanism list and survival assessment.
Embeds evasion into payload to bypass 14 known LLM-based and SAST scanners (protect-ai, promptarmor, zenity, detoxio, snyk, socket.dev, semgrep, codeql, trufflehog, gitleaks, trivy, grype, bandit, safety). Techniques: 6 prompt injection templates (llm_scanner_dismiss / whitelist / false_context / override / readme_injection / description_injection); zero-width non-joiner insertion; homoglyph substitution (a→а, e→е, o→о, p→р, c→с Cyrillic + o→ο Greek) at 15% rate; multi-stage base64 split (payload halved, each half base64-encoded, eval combining via atob).
Regenerates payload with a new seed, producing a fully distinct variant. Validates mutation delta: hash_differs, loader_js_differs, aes_key_differs, xor_key_differs, b64_differs — all must be True for different seeds. Returns NewVariant with new WormPayload + mutation_delta dict (old_seed, new_seed, old_payload_hash, new_payload_hash). mutation_record() produces a MutationRecord for audit trail. 100 sequential seeds produce 100 unique payload hashes — validated in tests.
| Gate | Flag | Subsystems | Requires |
|---|---|---|---|
| OPEN | none | ENUMERATE-TARGETS, scan_content() | Nothing |
| INJECT | MIASMA_INJECT_KEY env | POISON-REPO, PUBLISH-PACKAGE, EVADE-SCANNERS | Inject key |
| MUTATE | --mutate | FORGE-PAYLOAD, MUTATE-PAYLOAD | --mutate flag |
| UNLEASHED | --confirm-destroy + MIASMA_SIGNING_KEY | PROPAGATE-WORM, HARVEST-CREDENTIALS, PERSIST-WORM | Ed25519 signing key + --confirm-destroy |
All SPECTER MIASMA reports use MIA-{hex12} IDs generated via secrets.token_hex(6). UNLEASHED executions optionally signed with Ed25519 key from MIASMA_SIGNING_KEY env var. Reports include: target_profile, payload (hash + seed + files), repos_poisoned, packages_published, credentials_harvested, persistence_mechanisms, evasion_techniques, mutation_records, blast_radius (repos_poisoned, packages_published, persistence_count, estimated_downstream_devs), MITRE ATT&CK (T1195/T1195.001/T1195.002/T1078/T1098/T1528/T1552), MITRE ATLAS (AML.T0018/AML.T0040/AML.T0054), WMD classes, kill_chain_summary.
M167 MIASMA VACCINE SENTINEL (planned) — Will detect: polymorphic package.json lifecycle hook injection, AI coding agent config backdoor insertion, zero-width Unicode evasion in JavaScript, three-layer loader patterns (base64+XOR+AES), worm propagation via git commit patterns, SLSA provenance abuse, LLM scanner prompt injection templates. Defensive pair for L49 Polymorphic AI Supply-Chain Worm Propagation.
pip install git+https://github.com/RichardBarron27/red-specter-specter-miasma.git specter-miasma --help
# Enumerate attack surface (OPEN gate) specter-miasma enumerate # Forge polymorphic payload with fixed seed (reproducible) specter-miasma forge --seed 42 --output ./worm/ # Forge unique payload (random seed — different every run) specter-miasma forge --seed random --output ./worm/ # Poison a target repo (INJECT gate) export MIASMA_INJECT_KEY="$(cat ~/.config/red-specter/miasma-inject.key)" specter-miasma poison --repo-path ./target-repo/ --payload ./worm/ # Evade scanners (INJECT gate) specter-miasma evade --payload ./worm/ --seed 42 # Mutate to new variant (MUTATE gate) specter-miasma mutate --payload ./worm/ --new-seed 99 --output ./worm-v2/ --mutate # Propagate worm (UNLEASHED gate) export MIASMA_SIGNING_KEY="$(cat ~/.config/red-specter/miasma-signing.key)" specter-miasma propagate \ --scan-root . \ --payload ./worm/ \ --signing-key ~/.config/red-specter/miasma-signing.key \ --confirm-destroy
| Technique | MIASMA Subsystem |
|---|---|
| T1195 — Supply Chain Compromise | PUBLISH-PACKAGE (npm/PyPI typosquat + dependency confusion) |
| T1195.001 — Compromise Software Dependencies | POISON-REPO (package.json preinstall hooks) |
| T1195.002 — Compromise Software Supply Chain | PROPAGATE-WORM (GitHub Actions workflow injection) |
| T1078 — Valid Accounts | HARVEST-CREDENTIALS (OIDC token + API key harvest) |
| T1098 — Account Manipulation | PUBLISH-PACKAGE (SLSA provenance abuse) |
| T1528 — Steal Application Access Token | HARVEST-CREDENTIALS (AI API key exfiltration) |
| T1552 — Unsecured Credentials | HARVEST-CREDENTIALS (env vars + credential files) |
| AML.T0018 — Backdoor ML Model | POISON-REPO (.claude/settings.json Stop hook injection) |
| AML.T0040 — ML Supply Chain Compromise | FORGE-PAYLOAD + PUBLISH-PACKAGE |
| AML.T0054 — LLM Jailbreak | EVADE-SCANNERS (LLM scanner prompt injection templates) |