In a concerning development, cybersecurity experts have identified a new surge of supply chain attacks involving the notorious Miasma malware family. This latest threat has infiltrated npm packages and extended its reach to the Go ecosystem, raising alarms among developers and security professionals worldwide.
Scope of the Attack
The recent campaign features malicious npm releases impacting packages like LeoPlatform and RStreams, as well as GitHub Actions workflow exploits. A compromised Go module associated with the Verana Blockchain project has also been detected, illustrating the attack’s broad impact.
The primary objective remains consistent: to steal developer credentials and utilize the compromised data to infiltrate package registries, repositories, and trusted development processes. This poses a significant risk to the integrity of software development pipelines.
Details of Affected Packages
The list of compromised npm packages is extensive, including notable names such as hexo-deployer-wrangler, leo-auth, leo-aws, and serverless-leo, among others. Additionally, a Go module from the Verana Blockchain project is implicated, signifying the malware’s expansion beyond npm.
Security analysts suspect the breach of an npm developer account linked to LeoPlatform, possibly through credential leaks, enabling attackers to deploy trojanized package versions within seconds.
Miasma’s Malicious Techniques
This attack wave employs tactics seen in previous campaigns, such as npm registry poisoning and GitHub infrastructure manipulation. Notably, the malware omits a lifecycle hook in package.json, opting instead to execute arbitrary code via a binding.gyp file during installation.
The payload deploys a JavaScript loader to download and execute the Bun runtime, subsequently extracting sensitive data like secrets and tokens. The malware includes a Russian locale killswitch and circumvents endpoint security software. Furthermore, it creates a “Run Copilot” workflow to exfiltrate CI/CD secrets from memory, uploading them to a public GitHub repository.
Conclusion and Future Implications
This attack highlights the persistent threat posed by the Miasma malware family. By targeting developer workflows and leveraging minor variations to evade detection, the attackers continue to exploit legitimate package ecosystems.
As this campaign extends to the Verana GitHub repository, it underscores the critical need for vigilant security practices across all stages of software development. Developers and organizations must remain proactive in safeguarding their environments against evolving threats.
