A sophisticated malware campaign known as Miasma has been identified infiltrating widely used npm packages, employing advanced techniques to exfiltrate sensitive developer credentials. This campaign specifically targets packages associated with the LeoPlatform and RStreams ecosystems, which are integral to data pipeline and cloud integration workflows.
On June 24, 2026, malicious versions of over 20 npm packages were published in rapid succession, catching the developer community off guard. The attack’s reach extends further, with additional compromised packages released under a separate npm user account named ‘llxlr’.
Security researchers have linked this campaign to broader threat clusters, including malware families like Mini Shai-Hulud and Hades. These threats have been observed evolving over multiple waves, each employing increasingly sophisticated and evasive techniques.
Exploitation of binding.gyp and Bun
The Miasma malware leverages the ‘binding.gyp’ file to execute malicious code during the package installation process. Unlike traditional methods that utilize visible install scripts in ‘package.json’, this approach exploits npm’s native build tool, ‘node-gyp’, which automatically processes ‘binding.gyp’ files. This tactic allows the malware to execute without triggering standard security alerts associated with install scripts.
Upon execution, the malware initiates a heavily obfuscated JavaScript loader designed to run via Bun, a high-performance JavaScript runtime. If Bun is not present on the system, the malware downloads and installs it, ensuring the payload can execute. This method effectively bypasses detection mechanisms that primarily monitor Node.js environments.
Comprehensive Credential Theft
Once active, the Miasma malware systematically searches for and exfiltrates a wide array of sensitive information, including:
- Environment configuration files
- npm and PyPI tokens
- GitHub tokens
- Slack and Twilio tokens
- SSH keys
- Kubernetes configuration files
- AWS and Azure credentials
- Docker authentication files
- Continuous Integration (CI) secrets
- Settings related to AI coding assistants such as Claude, Cursor, and Gemini
Additionally, the malware checks for the presence of security tools like CrowdStrike, potentially to disable or evade them.
Notably, the campaign’s reach is not confined to the npm ecosystem. Researchers have discovered similar payloads within Go modules associated with the Verana Blockchain project, indicating that the attackers are targeting multiple package managers and developer tools.
The Miasma campaign underscores the critical need for developers and organizations to exercise heightened vigilance when managing dependencies. Regularly auditing packages, verifying the integrity of code before integration, and monitoring for unusual behaviors during installation are essential practices to mitigate the risks posed by such sophisticated supply chain attacks.
