Miasma Malware Hides in npm Packages to Steal Developer Secrets

Introduction: Miasma Malware npm Packages — Why It Matters

The Miasma Malware npm Packages campaign has emerged as a sophisticated software supply chain attack targeting developers through malicious npm packages associated with the LeoPlatform and RStreams ecosystems. Instead of relying on traditional installation scripts, the attackers abuse the binding.gyp build configuration file to trigger hidden code execution through node-gyp, allowing the malware to bypass many automated security checks.

The campaign demonstrates how threat actors continue evolving their techniques to compromise developer environments silently. Once executed, the malware steals credentials from numerous development platforms and cloud services, including GitHub, npm, PyPI, AWS, Azure, Docker, Kubernetes, Slack, Twilio, SSH keys, and even AI coding assistants. Security researchers also discovered attempts to compromise GitHub Actions workflows, increasing the potential impact across software supply chains. Security experts warn that Miasma Malware npm Packages represents one of the most sophisticated supply chain attacks targeting developers in recent months.

What are LeoPlatform and RStreams?

LeoPlatform and RStreams are open-source frameworks widely used to build scalable cloud-based data processing and integration pipelines. Organizations use these frameworks for event-driven applications, distributed workloads, and enterprise cloud automation.

Because these projects are trusted within developer communities, attackers leveraged malicious package updates to distribute malware through the npm ecosystem. Supply chain attacks targeting trusted software dependencies remain one of the most dangerous cybersecurity threats because developers often install packages without suspecting malicious modifications. The trusted nature of these projects made them an attractive target for the Miasma Malware npm Packages campaign.

Who Is Behind the Attack?

Researchers continue investigating who is responsible for Miasma Malware npm Packages, although no official attribution has been confirmed. Researchers have not officially attributed the campaign to a known threat group. However, technical analysis found strong similarities between Miasma and previously documented malware families including:

• Mini Shai-Hulud
• Hades malware

Investigators also identified related payloads inside a Go module connected with the Verana Blockchain project, suggesting the operators may be expanding beyond npm into additional software ecosystems.

Although attribution remains under investigation, the campaign demonstrates significant planning and technical sophistication typically associated with advanced supply chain attacks.

Miasma Malware npm Packages 2026: Full Technical Breakdown

Timeline of Events

Researchers identified malicious npm packages associated with the LeoPlatform and RStreams ecosystems after detecting unusual execution behavior during package installation.

Unlike conventional npm malware that abuses preinstall or postinstall scripts, Miasma instead exploits the binding.gyp configuration file. Since many security scanners primarily inspect installation scripts, this technique allows malicious code execution while remaining largely unnoticed.

Once the package begins building through node-gyp, attackers execute an obfuscated JavaScript loader that decrypts an encrypted payload before launching it using the Bun JavaScript runtime. This multi-stage execution chain significantly complicates malware analysis and detection.

Researchers later discovered additional malicious components embedded within a Go module related to the Verana Blockchain project, indicating the campaign may not be limited to JavaScript ecosystems alone.

How the Attack Works

The attack consists of several carefully designed stages:

1. Developers install an infected npm package.
2. The malicious binding.gyp file triggers code execution through node-gyp.
3. An obfuscated JavaScript loader executes.
4. The loader decrypts the hidden malware payload.
5. The payload launches using the Bun runtime.
6. Credentials are harvested from multiple developer tools and cloud services.
7. GitHub repositories and CI/CD workflows may also be modified for continued persistence.

This approach enables attackers to remain hidden throughout much of the software installation process while avoiding security products focused solely on npm lifecycle scripts.

The execution chain used by Miasma Malware npm Packages demonstrates how attackers can evade conventional package security scanning.

GitHub Actions Supply Chain Abuse

One of the most concerning aspects of the campaign involves GitHub Actions.

Researchers observed the malware injecting fake “Run Copilot” workflows into compromised repositories. These fraudulent workflows appear legitimate to developers but are designed to silently extract repository secrets and authentication tokens during automated CI/CD execution.

By targeting GitHub Actions, attackers gain opportunities to compromise production environments, deployment pipelines, and downstream software consumers, dramatically increasing the scope of a single infected developer workstation.

What Data and Systems Were Targeted?

Miasma Malware npm Packages is designed to harvest sensitive credentials from a wide range of developer tools, cloud platforms, and collaboration services. The malware is designed to steal credentials from numerous development environments, including:

• GitHub accounts
• npm authentication tokens
• PyPI credentials
• AWS cloud credentials
• Microsoft Azure credentials
• Docker authentication tokens
• Kubernetes configuration files
• SSH private keys
• Slack tokens
• Twilio credentials
• AI coding assistant authentication data
• GitHub Actions secrets
• Local development environment credentials

Researchers also found the malware performing environmental checks before execution.

Among its anti-analysis features, the malware searches for popular endpoint security solutions such as CrowdStrike and SentinelOne. It also avoids executing on systems configured with Russian-language settings, a behavior commonly observed in sophisticated malware campaigns intended to reduce unwanted attention from regional law enforcement.

The combination of stealthy execution, extensive credential theft capabilities, and software supply chain abuse makes Miasma one of the more technically advanced developer-focused malware campaigns observed in recent months.

Potential Risks & Impact

The Miasma Malware npm Packages campaign poses significant risks to developers, enterprises, and software supply chains worldwide. The Miasma malware campaign extends far beyond the compromise of individual developer workstations. By targeting software supply chains, attackers can potentially affect organizations that rely on infected packages, cloud infrastructure, and automated deployment pipelines.

Identity and Cloud Security Risks

The malware is designed to harvest authentication credentials from multiple developer platforms and cloud providers. If attackers successfully obtain these secrets, they may gain unauthorized access to repositories, cloud resources, production servers, and CI/CD environments.

Potential risks include:

• Unauthorized access to GitHub repositories
• Cloud account compromise in AWS and Azure
• Theft of SSH keys for remote server access
• Abuse of Docker and Kubernetes environments
• Exposure of AI coding assistant credentials
• Unauthorized package publishing using stolen npm or PyPI tokens

Business and Operational Risks

Organizations using compromised developer environments may experience serious operational disruptions. Since the malware targets trusted development workflows, attackers could potentially inject malicious code into software releases without immediate detection.

Businesses may face:

• Software supply chain compromise
• Deployment of backdoored applications
• Loss of customer trust
• Increased incident response costs
• Service outages caused by compromised infrastructure

Regulatory and Compliance Risks

Organizations handling sensitive customer or enterprise data could face regulatory scrutiny if compromised credentials result in unauthorized access.

Depending on the affected region and industry, organizations may need to comply with:

• Data breach notification requirements
• Internal security investigations
• Third-party risk assessments
• Security audit obligations
• Supply chain security reviews

Official Response / Statement

At the time of writing, no official public statement has been released by the maintainers of the affected ecosystems regarding the full scope of the campaign.

However, security researchers have advised organizations to immediately rotate all potentially exposed credentials, rebuild affected development environments using trusted dependency lockfiles, inspect repositories for unauthorized GitHub Actions workflows, and verify software dependencies before deployment.

The investigation remains ongoing, and additional indicators or malicious packages may be identified as researchers continue analyzing the campaign. Organizations affected by Miasma Malware npm Packages should immediately rotate credentials and inspect their development environments.

Industry Context: Why Supply Chain Attacks Continue to Rise

Software supply chain attacks have become increasingly attractive to cybercriminals because compromising a single trusted package can potentially affect thousands of downstream users.

Modern development environments depend heavily on open-source ecosystems such as npm, PyPI, Maven, and Go modules. Attackers increasingly target these repositories because developers naturally trust widely used dependencies.

Readers can also explore similar cybersecurity incidents in CyberNexora’s Cyber Incidents category and discover practical cybersecurity guidance in the Learn & Protect section.

Organizations should also strengthen software development security by following supply chain best practices published by the National Institute of Standards and Technology (NIST) and the Cybersecurity and Infrastructure Security Agency (CISA). Organizations should also follow the NIST Secure Software Development Framework (SSDF) to strengthen secure software development and reduce supply chain risks. Security experts believe Miasma Malware npm Packages reflects the growing trend of sophisticated software supply chain attacks.

How to Protect Yourself and Your Organization

Security experts recommend taking the following actions immediately if any potentially affected packages have been installed:

1. Rotate all GitHub, npm, PyPI, AWS, Azure, Docker, Kubernetes, Slack, Twilio, and SSH credentials.
2. Rebuild developer environments using verified dependency lockfiles instead of existing installations.
3. Audit GitHub repositories for unexpected workflow files, especially fake “Run Copilot” workflows.
4. Pin GitHub Actions to full commit hashes rather than floating version tags.
5. Scan systems for unauthorized modifications and suspicious build processes.
6. Verify package integrity before deployment using trusted package management practices.
7. Enable multi-factor authentication on developer accounts wherever possible.
8. Continuously monitor developer environments for unusual authentication activity.

Security teams should also review CISA’s Secure by Design guidance to improve software supply chain resilience and reduce the risk of dependency compromise.

For additional defensive guidance, readers can visit CyberNexora’s Learn & Protect section for best practices, security awareness tips, and practical defense strategies. Defending against Miasma Malware npm Packages requires proactive monitoring, dependency verification, and secure CI/CD practices.

Indicators of Compromise (IoCs)

Security teams should investigate for the following indicators:

• Suspicious npm packages associated with LeoPlatform or RStreams
• Unexpected execution of binding.gyp during package installation
• Obfuscated JavaScript loaders
• Bun runtime launching unknown payloads
• Unauthorized GitHub Actions workflow files
• Fake “Run Copilot” workflow entries
• Unexpected credential access attempts
• Connections to attacker-controlled infrastructure
• Modified Go modules associated with the Verana Blockchain project

The following indicators may help identify systems affected by Miasma Malware npm Packages.

Key Takeaways

• Miasma abuses binding.gyp to bypass traditional npm install-script detection.
• The malware uses the Bun runtime to decrypt and execute hidden payloads.
• Developer credentials from GitHub, AWS, Azure, Docker, Kubernetes, SSH, Slack, Twilio, npm, and PyPI are primary targets.
• GitHub Actions workflows are abused to steal CI/CD secrets.
• Immediate credential rotation and repository auditing are strongly recommended.

The Miasma Malware npm Packages campaign highlights the growing sophistication of software supply chain attacks and the importance of securing developer environments.

Conclusion: Miasma Malware npm Packages and What Happens Next

The Miasma Malware npm Packages campaign demonstrates how software supply chain attacks continue evolving beyond traditional installation-script abuse. By exploiting trusted developer workflows, attackers significantly increase the likelihood of compromising both individual developers and enterprise software environments. As security researchers continue investigating Miasma Malware npm Packages, organizations should remain vigilant against evolving software supply chain threats.

As investigations continue, organizations should proactively audit development infrastructure, rotate exposed credentials, review CI/CD pipelines, and strengthen dependency management practices. Supply chain security is becoming an essential component of modern cybersecurity, and incidents like Miasma highlight the importance of continuously monitoring trusted software ecosystems for malicious activity.

As investigations continue, organizations should remain alert to new developments related to Miasma Malware npm Packages and strengthen their software supply chain security.