Microsoft has disclosed a sophisticated supply chain malware campaign named Miasma that has compromised over 20 npm packages, targeting the Leo Platform and RStreams developer ecosystems. The attack rapidly deployed poisoned package updates using a hijacked maintainer account to steal cloud and development credentials while attempting to propagate autonomously across npm projects.
- Over 20 npm packages compromised in rapid automated attack
- Malware steals extensive cloud and developer credentials
- Self-propagates by republishing packages, bypassing 2FA
What happened
On June 24, attackers gained control of an npm maintainer account named "czirker" and used it to publish malicious updates to over 20 npm packages affiliated with the Leo Platform and RStreams. Microsoft Threat Intelligence revealed this was a coordinated and fully automated attack completed in less than three seconds, allowing the malware to quickly infiltrate developer systems.
This Miasma malware targets software developers by harvesting sensitive credentials from multiple sources including cloud services like AWS, Azure, and Google Cloud, as well as GitHub personal tokens, Kubernetes secrets, and password vaults such as HashiCorp Vault and 1Password. It also extracts data from GitHub Actions runners’ memory and exfiltrates it by creating repositories under the victim’s GitHub account, avoiding traditional command-and-control infrastructure.
Why it matters
By compromising widely used npm packages, the attackers establish a powerful supply chain infection vector that threatens countless developer machines and continuous integration (CI) environments. The malware’s design allows it to bypass npm’s two-factor authentication by republishing the packages the victim maintains, effectively self-propagating and increasing its reach within the open source ecosystem.
This attack’s evolution includes using the Bun JavaScript runtime for payload execution rather than the more common Node.js environment, likely to evade detection by security tools. The campaign’s persistence and adaptability underline the ongoing risk of supply chain attacks and the critical importance of comprehensive secrets management and monitoring within software development pipelines.
What to watch next
Organizations that have installed these compromised package versions are urged to assume potential exposure of developer workstations and CI infrastructures. Microsoft advises immediate rotation of all sensitive credentials possibly stolen, while Sonatype recommends thorough audits of dependency lockfiles, internal mirrors, build caches, container images, and CI runners to detect and remove malicious artifacts.
Security teams should stay alert for further modifications in Miasma’s attack techniques and monitor the broader npm supply chain for similar poisoning attempts. Enhanced security practices including multi-factor authentication, strict credential rotation policies, dependency integrity verification, and runtime behavior analysis will be essential to mitigating these evolving threats.