3 hours ago
8
security
Microsoft says latest attack targets Leo Platform and RStreams packages, harvesting creds and going after more maintainers
The Miasma malware campaign has claimed another victim, poisoning more than 20 versions of legitimate npm packages used by the Leo Platform and RStreams ecosystems as its operators continue refining their self-propagating supply chain worm.
Microsoft Threat Intelligence said in a post on X that the attack began late on June 24 after attackers compromised an npm maintainer account, "czirker," and used it to publish poisoned updates to more than 20 packages in a "coordinated, fully automated operation completed in under three seconds."
Like earlier Miasma campaigns, the malware targets developer workstations and CI runners, hunting for AWS, Azure, and Google Cloud credentials alongside GitHub personal access tokens, Kubernetes secrets, HashiCorp Vault credentials, 1Password data, npm publishing credentials, and other sensitive information.
It also scrapes GitHub Actions runner memory before committing the stolen data to a GitHub repository created through the victim's account instead of talking to a traditional command-and-control server.
Stealing credentials is only part of the job. The malware also tries to republish any packages the victim is allowed to maintain, sidestepping npm's two-factor authentication and giving itself another route to spread.
The malware has evolved too. Earlier Miasma variants relied on npm installation hooks, but according to Sonatype, this version takes a different route, hiding its payload elsewhere in the installation process. It also downloads and executes the Bun JavaScript runtime rather than running everything under Node.js, apparently in the hope of attracting less attention from security software.
Miasma is proving difficult to stamp out. The campaign first surfaced in poisoned Red Hat npm packages earlier this month before the Mini Shai-Hulud toolkit landed on GitHub, making the malware available to anyone.
Microsoft is urging organizations that installed the affected package versions to assume that developer machines and CI environments may have been exposed. Sonatype recommends checking dependency lockfiles, internal package mirrors, build caches, container images, and CI runners for lingering copies of the malicious releases before rotating credentials. Swap the secrets first, and there's every chance the attackers simply steal the replacements. ®
English (US) ·