Cybersecurity researchers have identified a new evolution in the Miasma malware campaign, which has now compromised additional npm packages and extended its reach to the Go ecosystem. This latest wave targets packages associated with LeoPlatform and RStreams, as well as GitHub Actions workflows, and includes a related compromise of a Go module within the Verana Blockchain project.
The primary objective of this campaign remains the harvesting of developer and maintainer credentials. By obtaining these credentials, attackers can infiltrate package registries, repositories, and trusted developer workflows, thereby facilitating the spread of malicious code across the software supply chain.
The following packages have been identified as affected:
- [email protected]
- [email protected]
- [email protected]
- [email protected]
- [email protected]
- [email protected]
- [email protected]
- [email protected]
- [email protected]
- [email protected]
- [email protected]
- [email protected]
- [email protected]
- [email protected]
- [email protected]
- [email protected]
- [email protected]
- [email protected]
- [email protected]
- [email protected]
- [email protected]
- [email protected]
- [email protected]
- github.com/verana-labs/[email protected] (Go)
It is suspected that an npm developer account associated with LeoPlatform was compromised, likely through leaked credentials. This breach enabled attackers to utilize an npm token belonging to the maintainer to publish trojanized versions of these packages within a brief six-second window.
This new wave of attacks employs several tactics observed in previous campaigns, including:
- Poisoning the npm registry
- Utilizing binding.gyp files for install-time execution
- Deploying Bun-staged JavaScript malware
- Exploiting GitHub as dead-drop infrastructure
- Stealing secrets from GitHub Actions
- Establishing persistence in IDEs and AI coding assistants
- Exfiltrating encrypted credentials
The malicious npm packages, while lacking traditional lifecycle hooks in their package.json files, incorporate a binding.gyp file that executes arbitrary code during installation. This execution launches a JavaScript loader that installs the Bun runtime if it is not already present, and then initiates the stealer payload responsible for harvesting secrets, credentials, and tokens.
Notably, the malware includes a Russian locale killswitch and checks for the presence of endpoint security software. It also drops a workflow named “Run Copilot” to capture CI/CD environment secrets from the runner memory. The harvested information is then uploaded to a public GitHub repository with the description “Alright Lets See If This Works.” As of the latest reports, there are 559 repositories matching this description.
Additionally, the token relay marker has evolved in this iteration. While earlier versions used strings like “IfYouInvalidateThisTokenItWillNukeTheComputerOfTheOwner,” the current artifact uses “RevokeAndItGoesKaboom,” a string previously associated with the recent compromise of the “codfish/semantic-release-action” GitHub Action.
On June 24, 2026, at 15:39:06 UTC, an attacker force-pushed a malicious commit to “codfish/semantic-release-action” and redirected several version tags to point at the malicious commit. Any workflow that ran against one of these tags after that timestamp executed the attacker’s payload directly inside the GitHub Action environment.
This incident underscores the critical importance of securing developer accounts and CI/CD pipelines. Developers and organizations must implement robust security measures, including multi-factor authentication, regular credential rotation, and vigilant monitoring of package dependencies, to mitigate the risks associated with such sophisticated supply chain attacks.
