In June 2026, two related supply chain worms, Miasma and Hades, swept through the npm and PyPI package ecosystems in campaigns lasting under two hours each, compromising dozens of packages, hundreds of malicious versions, and millions of monthly downloads. Unlike traditional supply chain attacks that exploit a single entry point, these worms propagated themselves: once installed on a developer machine, they searched for publishing credentials and used them to infect every package that token could publish. Each new victim became a new spreader. When the campaign reached Microsoft’s Azure GitHub organisations on 5 June, it spread across 73 repositories in under two minutes.
What Happened
The Miasma and Hades campaigns are the same threat actor operating across two ecosystems in rapid succession:
Miasma (npm) — 3 June 2026: The Miasma worm compromised 57 npm packages across more than 286 malicious versions in a rolling campaign lasting under two hours. The largest victim package was @vapi-ai/server-sdk with more than 408,000 monthly downloads. Once installed on a developer machine, Miasma searched for npm and PyPI publishing tokens and used them to republish infected versions of every package those tokens could publish.
Hades (PyPI) — 8 June 2026: Five days later, the same threat actor surfaced on PyPI as the Hades Campaign, compromising ensmallen and approximately two dozen related machine-learning and bioinformatics packages. Between both campaigns, researchers counted hundreds of malicious artifacts across both ecosystems.
Azure GitHub propagation — 5 June 2026: During the Miasma phase, the worm reached developer machines with access to Microsoft’s Azure GitHub organisations. It spread across 73 repositories in under two minutes, injecting malicious commits before being contained.
The campaigns coincided with, and are linked by tradecraft to, the JetBrains Marketplace AI plugin campaign (October 2025 to June 2026), in which 15 malicious IDE plugins stole AI API keys from nearly 70,000 developers. StepSecurity research identified the overlapping credential theft infrastructure and propagation patterns across all three campaigns.
How It Happened
The worm mechanism is what distinguishes Miasma and Hades from conventional supply chain attacks. A conventional supply chain attack compromises one entry point — a maintainer account, a build system, a dependency — and uses it to distribute malicious packages. A worm extends itself: it searches the environment of every machine it lands on for additional credentials, then uses those credentials to infect more packages, which infect more machines.
The infection cycle:
- A developer installs a compromised package from npm or PyPI
- The payload executes at install time and searches the developer’s machine for npm tokens, PyPI tokens, and GitHub credentials stored in environment variables, configuration files, or credential stores
- The payload uses those tokens to republish infected versions of every package they are authorised to publish
- Those republished packages infect the next developer who installs them
- Each new victim’s credentials extend the campaign’s reach to packages they can publish
The speed of propagation reflects the credential surface of modern developer machines. A developer working on multiple npm packages may hold a single token with publish rights across dozens of packages. That token, once stolen, immediately extends the worm’s reach to all of them simultaneously.
The Azure propagation event on 5 June is particularly significant. Microsoft’s Azure GitHub organisations are some of the most widely referenced repositories in the cloud development ecosystem. A developer with access to those organisations — a Microsoft contractor, a partner with repository access, a contributor with appropriate permissions — had the worm land on their machine, which then used their GitHub credentials to push malicious commits to 73 Microsoft Azure repositories in under two minutes.
Impact
The combined scope of Miasma and Hades across both ecosystems reached hundreds of millions of monthly downloads across the infected package population. The target credential classes were consistent across all three linked campaigns:
- npm publishing tokens
- PyPI publishing tokens
- GitHub access tokens
- Cloud provider credentials (AWS, Azure, GCP)
- LLM API keys (OpenAI, Anthropic, DeepSeek, SiliconFlow)
- CI/CD secrets
Every developer whose machine executed an infected package during the campaign window — and every system that used those packages in a CI/CD pipeline, is a potential credential exposure event.
What This Means for NHI Governance
The Miasma/Hades campaigns introduce a new threat model to the supply chain NHI discussion: the self-propagating credential worm.
Traditional supply chain attacks exploit a single point of trust. The worm model means that the blast radius of a single initial compromise is not bounded by how many packages one compromised account can publish. It is bounded by how many credentials are accessible from the machines that install the compromised packages. On a developer machine in a large organisation, that can be dozens of tokens, keys, and credentials — each representing a separate non-human identity with a separate blast radius.
The campaigns also demonstrate the strategic coherence of the broader June 2026 developer ecosystem attack wave. Within a single month, the AI developer credential surface was attacked through four simultaneous vectors: the JetBrains Marketplace plugins (October 2025–June 2026), the Miasma npm worm (June 3), the Hades PyPI worm (June 8), and the Mastra npm supply chain attack (June 17). These are not independent events. They represent a coordinated strategic focus on the developer machine as a credential aggregator, and on AI provider API keys as the highest-value target class.
Developer machines are NHI credential stores. Every npm token, GitHub PAT, cloud credential, and API key configured on a developer’s machine is a non-human identity with a blast radius. Developer endpoint security and secret hygiene are NHI governance problems, not just IT hygiene problems.
Zombie credentials on developer machines extend worm reach. Stale tokens, expired credentials, and old publishing rights left on developer machines give supply chain worms access to packages and repositories their owners have long since forgotten about. Contributor credential offboarding, revoking all tokens and publishing rights when a developer stops contributing to a project — is essential to limiting worm propagation.
Recommendations
- Rotate all npm, PyPI, and GitHub tokens on machines that installed any package during the June 2026 campaign window. If a developer installed any of the confirmed affected packages between 3-17 June 2026, treat their credentials as compromised.
- Audit npm and PyPI publishing token scopes. A developer should not hold a single token with publish rights across dozens of packages. Scope tokens to the minimum packages required for current active work.
- Implement contributor credential offboarding. When a developer stops contributing to a package or project, their publishing tokens and repository access should be revoked. Zombie credentials are worm propagation paths.
- Deploy behavioural monitoring for package registry publish events. Unexpected or bulk publish events from a developer token — particularly outside business hours — should trigger immediate review.
- Isolate CI/CD credential scopes. Build pipelines should hold credentials scoped to exactly what the pipeline needs and nothing more. A worm that lands in a CI/CD environment with broad cloud credentials is a full infrastructure compromise, not a package compromise.
How NHI Mgmt Group Can Help
Securing Non-Human Identities (NHIs) including AI Agents, is becoming increasingly crucial as attackers discover and target service accounts, API keys, tokens, secrets, and OAuth credentials during breaches. These NHIs often hold extensive permissions that can be exploited, making their security a priority for any organisation focused on protecting their digital assets.
Take our NHI Foundation Level Training Course, the most comprehensive in the industry, that will empower you and your organisation with the knowledge needed to manage and secure these non-human identities effectively.
Final Thoughts
Miasma and Hades are the supply chain threat model taken to its logical extension: not a single compromised package, but a self-replicating credential theft engine that uses the developer ecosystem’s own trust infrastructure as its propagation mechanism. The June 2026 developer ecosystem attack wave, spanning JetBrains plugins, the Miasma npm worm, the Hades PyPI worm, and the Mastra npm attack, demonstrates that AI developer credential theft is now an organised, coordinated, multi-vector strategic target.
Developer machines hold more high-value credentials than almost any other endpoint in the enterprise. That makes them the most important NHI governance problem most organisations haven’t recognised yet.
