Miasma campaign poisons 20-plus npm packages, hunts for developer secrets
Jump to main content
Search
REG AD
security
Miasma campaign poisons 20-plus npm packages, hunts for developer secrets
Microsoft says latest attack targets Leo Platform and RStreams packages, harvesting creds and going after more maintainers
Carly Page
Carly<br>Page
Published<br>fri 26 Jun 2026 // 13:18 UTC
The Miasma malware campaign has claimed another victim, poisoning more than 20 versions of legitimate npm packages used by the Leo Platform and RStreams ecosystems as its operators continue refining their self-propagating supply chain worm.<br>Microsoft Threat Intelligence said in a post on X that the attack began late on June 24 after attackers compromised an npm maintainer account, "czirker," and used it to publish poisoned updates to more than 20 packages in a "coordinated, fully automated operation completed in under three seconds."<br>Like earlier Miasma campaigns, the malware targets developer workstations and CI runners, hunting for AWS, Azure, and Google Cloud credentials alongside GitHub personal access tokens, Kubernetes secrets, HashiCorp Vault credentials, 1Password data, npm publishing credentials, and other sensitive information.
REG AD
It also scrapes GitHub Actions runner memory before committing the stolen data to a GitHub repository created through the victim's account instead of talking to a traditional command-and-control server.
REG AD
Stealing credentials is only part of the job. The malware also tries to republish any packages the victim is allowed to maintain, sidestepping npm's two-factor authentication and giving itself another route to spread.<br>The malware has evolved too. Earlier Miasma variants relied on npm installation hooks, but according to Sonatype, this version takes a different route, hiding its payload elsewhere in the installation process. It also downloads and executes the Bun JavaScript runtime rather than running everything under Node.js, apparently in the hope of attracting less attention from security software.
MORE CONTEXT
Miasma worms its way onto GitHub as attack kit goes open source
GitHub nukes 70+ Microsoft repos, breaks CI/CD pipelines, following suspected worm infections
Shai-Hulud malware worms Red Hat npm package versions downloaded 80K times a week
Techie pointed out meetings are pointless, and was punished for it
Miasma is proving difficult to stamp out. The campaign first surfaced in poisoned Red Hat npm packages earlier this month before the Mini Shai-Hulud toolkit landed on GitHub, making the malware available to anyone.<br>Microsoft is urging organizations that installed the affected package versions to assume that developer machines and CI environments may have been exposed. Sonatype recommends checking dependency lockfiles, internal package mirrors, build caches, container images, and CI runners for lingering copies of the malicious releases before rotating credentials. Swap the secrets first, and there's every chance the attackers simply steal the replacements. ®
npm<br>development<br>open source<br>worm<br>security
REG AD
DATABASES
Oracle promises to open up MySQL governance, but the community wants guarantees
Open source advocates remain concerned over lack of binding commitments
SOFTWARE
One man, two kernels, and a lot of RISC-V
A homebrew PC and mini-mainframe were only the warm-up for Yuri Zaporozhets' latest operating system
ZTE and Tianyi Digital Life jointly unveil flagship home AI router
PARTNER CONTENT: Collaborating to advance China Telecom's “Better Home” ecosystem, the joint launch introduces a 2000 Mbps Wi-Fi 7 hub driven by core AI connection, sensing, and control capabilities
AI AND ML
Notion kills its Gmail client after AI agents keep humans from troubling inbox
More than half of users now let bots handle email, so service is headed for shutdown
Virtualization
Lessons from the VMwars – nothing virtual about the Broadcom vs Tesco slugfest
Never get involved in a land war in Asia. Also, don't pick a contract fight with a monster of the art
Jiangsu's first AI-powered 10 Gbps all-optical campus network launched at Southeast University
PARTNER CONTENT: Integrating 50G-PON, FTTR-B, Wi-Fi 7, and intelligent AI scheduling to deliver 10 Gbps bidirectional speeds with ultra-low 0.1ms latency across Southeast University
MOST POPULAR
systems
Micron locks in historically high memory prices for five years
Personal tech
India and China are home to 2.9 billion people – and together they bought just 13 million PCs in Q1
Security
Mythos discovers 'Squidbleed,' a memory leak that's gone undetected since Clinton era
Channel
Infosys boss says vibe coding is no threat because there’s more to writing software than writing software
Security
Why Amazon hates 'human-in-the-loop' AI governance
AI
AI and ML
AI giants back non-profit to retrain workers left behind by AI
Sorry we spent your wages on datacenters, but call us when you're AI-ready
AI and...