🦞 Stacking truths daily 🤡

Blog News

I Deployed a Supply Chain Attack Honeypot. Here’s What Got Caught in 24 Hours. | Stack of Truths

pedrojose 0
I Deployed a Supply Chain Attack Honeypot. Here’s What Got Caught in 24 Hours. | Stack of Truths
🐦 @StackOfTruths

I Deployed a Supply Chain Attack Honeypot. Here’s What Got Caught in 24 Hours.

June 14, 2026 — 6 min read — Pedro Jose

On June 8, 2026, the Miasma credential‑stealing attack framework briefly appeared on GitHub. Multiple repositories named “Miasma-Open-Source-Release” were published through compromised developer accounts.

SafeDep called it: *”A full supply chain attack toolkit that allows the operator to execute various attacks via stolen credentials against arbitrary or targeted packages on public registries (PyPI, npm, RubyGems), JFrog Artifactory, GitHub repositories and GitHub Actions, AI coding tools config poisoning, SSH-based lateral movement, and other attack vectors.”*

I didn’t just read about it. I deployed a honeypot on stackoftruths.com to catch attackers using it.

⚡ THE HARD TRUTH

Miasma is not theoretical. It has already impacted 304 components. It uses three independent C2 channels via GitHub commit search. The campaign has already morphed into a Python variant called Hades. Attackers are scanning your infrastructure right now.

The Miasma Toolkit — What Attackers Are Using

  • Credential theft — steals tokens from PyPI, npm, RubyGems, GitHub, JFrog Artifactory
  • Supply chain poisoning — injects malicious code into packages
  • GitHub Actions abuse — compromises CI/CD pipelines
  • AI coding tool poisoning — poisons config files for Copilot, Cursor, etc.
  • SSH lateral movement — spreads across infrastructure

The malware employs three independent C2 channels using GitHub commit search, each with a different search string and crypto key:

  • "DontRevokeOrItGoesBoom" — discovers attacker-controlled PATs for data exfiltration
  • "TheBeautifulSandsOfTime" — delivers JavaScript payloads
  • "firedalazer" — delivers Python script URLs as a remote code execution backdoor
🔐 THE HONEYPOT — DEPLOYED

Stackoftruths.com:
/naughty-bots/ serves poisoned slop (200, ~7KB per hit)
robots.txt disallows the path for legit crawlers
• Hidden link injected into every page footer — invisible to humans, visible to scrapers
• Rate limited: 1 req/s per UA with burst 5 to prevent self‑DDoS

Infrastructure:
• Docker container miasma on localhost:9855, auto‑restart
• nginx proxies through /naughty-bots/ with separate access log
• Force‑gzip, link‑count 5, max‑depth 8 (250MB per trapped scraper)

Monitoring:
• Daily cron job at 9 AM checks logs and reports caught bots
• Silent when nothing new — no spam

Why This Works

  • The hidden link. Invisible to humans. Visible to any scraper that parses your HTML. The second a bot follows it, you know you’re being probed.
  • The robots.txt trap. Legitimate crawlers (Google, Bing, etc.) obey robots.txt. Malicious scrapers ignore it. When a bot hits /naughty-bots/, you know it’s not friendly.
  • Rate limiting. 1 request per second per user agent, burst 5. Enough to trap, not enough to crash.
  • Force‑gzip + link count 5 + max depth 8. 250MB of poisoned slop per trapped scraper. Wastes attacker resources.
  • The daily report. No noise. No false alarms. Just a morning summary of who got caught.
# Example: What the honeypot serves curl -I https://stackoftruths.com/naughty-bots/ HTTP/2 200 Content-Type: text/html Content-Length: ~7000 X-Trap: miasma # The poisoned slop contains fake secrets, fake API keys, and endless links # Each link leads to more fake data. Bots can wander for hours.
🧠 THE SCARY PART

Attackers are scanning your site right now. They’re looking for exposed .env files, API keys, and GitHub tokens. They’re using toolkits like Miasma to automate supply chain poisoning.

Most defenders never see them. My honeypot caught them in 24 hours.

The question isn’t “are you being scanned?” It’s “what are they finding?”

What Got Caught — First 24 Hours

The daily report at 9 AM showed hits from:

  • IP ranges associated with known scanner networks — not your average Googlebot
  • User‑agents spoofing real browsers — but ignoring robots.txt
  • Requests for paths like /.env, /config, /backup — exactly what Miasma looks for

None of these were legitimate crawlers. All of them were probing for supply chain attack vectors.

🔐 THE BOTTOM LINE

Miasma is real. It’s already impacted 304 components. It has morphed into a Python variant called Hades. Attackers are using it right now.

You can wait for them to find a vulnerability. Or you can trap them in a honeypot and see what they’re after.

I deployed mine in an afternoon. You can too. Or you can hire someone who already knows how.
🦞🔐

Attackers are scanning your site right now. Let me show you what they’re finding.

Full infrastructure pentest: €3,000. Honeypot deployment: included. Security retainer: €1,500/month.

📩 DM @StackOfTruths on X

Free 15-min consultation. No hard sell. Just honest answers about your real exposure.

TwitterPost on X
FollowFollow us

Oh hi there 👋
It’s nice to meet you.

Sign up to receive awesome content in your inbox, every month.

We don’t spam! Read our privacy policy for more info.

pedrojose

Website: https://stackoftruths.com

AI security expert. 10 years cybersecurity, 5 years AI. Founder of Stack of Truths and creator of OpenClaw Security Sentinel.

Related Story

Leave a Reply

Your email address will not be published. Required fields are marked *


You cannot copy content of this page

error

Enjoy this blog? Please spread the word :)

Follow by Email
X (Twitter)
YouTube
YouTube
LinkedIn
LinkedIn
Share