Miasma malware expands npm supply-chain attacks, targets developer credentials

A supply-chain malware campaign known as Miasma has infected more than 20 versions of legitimate npm packages tied to the Leo Platform and RStreams ecosystems, according to Microsoft Threat Intelligen...

A supply-chain malware campaign known as Miasma has infected more than 20 versions of legitimate npm packages tied to the Leo Platform and RStreams ecosystems, according to Microsoft Threat Intelligence. The company said the latest wave began late on June 24, when attackers took over an npm maintainer account identified as “czirker” and published malicious package updates in a highly automated process that finished in seconds.

The campaign is designed to harvest sensitive data from developer endpoints and CI environments. Microsoft said the malware searches for cloud and source-control secrets, including AWS, Azure and Google Cloud credentials, GitHub personal access tokens, Kubernetes secrets, HashiCorp Vault data, 1Password information and npm publishing credentials. It also checks GitHub Actions runner memory for additional secrets.

Instead of sending stolen data to a conventional command-and-control server, the malware creates a GitHub repository under the victim’s account and uploads the information there. Researchers say that approach helps hide the activity inside normal-looking developer workflows. The malware also tries to republish packages that the compromised account can manage, allowing it to spread further even where npm two-factor authentication is in place.

How the malware has changed

Security researchers at Sonatype said this version differs from earlier Miasma samples. Previous variants relied more heavily on npm installation hooks, while the newer one places its payload elsewhere in the install chain. It also downloads and runs the Bun JavaScript runtime rather than depending entirely on Node.js, a change that may help it avoid some detection tools.

Miasma has been linked to earlier incidents involving poisoned Red Hat npm packages, and parts of the tooling have reportedly been shared publicly, making it easier for other attackers to reuse. Microsoft is advising organizations that installed affected versions to treat developer systems and CI runners as potentially compromised.

  • Review dependency lockfiles and internal package mirrors
  • Check build caches, container images and CI runners for malicious package copies
  • Rotate exposed secrets after ensuring the infected artifacts are removed

Security teams caution that replacing credentials too early, before malicious packages are fully removed, could simply give attackers fresh secrets to steal again.