Supply chain attackers are getting more creative, and the latest threat is proof of that. A malware campaign known as Miasma has been caught hiding inside widely used npm packages, using a clever mix of tools and techniques to stay hidden while stealing sensitive developer credentials.
The attack involves packages tied to the LeoPlatform and RStreams ecosystems, which are used in data pipeline and cloud integration workflows.
Malicious versions of over 20 npm packages were published within a tight window on June 24, 2026, catching many developers off guard.
The scope of the attack is wider than it first appears, with additional infected packages published under a separate npm user account named llxlr.
Researchers at Socket.dev said in a report shared with Cyber Security News (CSN) that this campaign is part of a broader threat cluster also connected to related malware families called Mini Shai-Hulud and Hades.
The team has been tracking the family across multiple waves, noting that its techniques grow more layered and harder to detect with each new release.
What makes this wave particularly concerning is how far the damage can spread. The malware does not just sit inside an infected package.
Once it runs, it hunts for credentials, tokens, configuration files, and AI coding tool settings, then uses what it finds to poison other repositories and developer workflows.
Execution flow (Source – Socket.Dev)
The campaign also expands beyond npm. Socket researchers found the same payload family inside a Go module linked to the Verana Blockchain project, showing that the attackers are not limiting themselves to a single package ecosystem.
This confirms a troubling shift where threat actors are moving across package managers by targeting the workflows and tools developers rely on every day.
Miasma Malware Uses binding.gyp and Bun
The infection begins at the moment a developer installs a package. Instead of using a visible install script in package.json, the attackers added a file called binding.gyp to each malicious package.
When npm sees this file, it automatically runs node-gyp, a native build tool. The attackers exploit this behavior to trigger code execution without raising the red flags that a traditional install script would.
Once triggered, the malicious index.js file springs into action. It is a large, heavily scrambled single-line JavaScript loader that uses a Caesar-style letter shift and AES-GCM encryption to hide its real purpose.
When decoded, it delivers a final payload built to run through Bun, a fast JavaScript runtime. If Bun is not already installed on the machine, the malware downloads and installs it.
Many security tools do not watch Bun execution the same way they monitor Node.js, which helps the malware avoid detection.
Stealing Credentials Across Developer Environments
The payload targets a wide range of sensitive data. It collects environment files, npm and PyPI tokens, GitHub tokens, Slack and Twilio tokens, SSH keys, Kubernetes configs, AWS and Azure credentials, Docker authentication files, CI secrets, and settings tied to AI coding assistants like Claude, Cursor, and Gemini.
The malware also checks for popular security tools like CrowdStrike and SentinelOne, and includes a Russian locale guard that stops execution on Russian-language systems.
GitHub Actions is a key target, as the malware hunts for workflows that publish packages or hold registry tokens, pulling secrets from the runner environment and using GitHub’s own API to exfiltrate stolen data.
A recurring fake workflow named “Run Copilot” is designed to blend in with normal AI-assisted development activity while quietly uploading stolen secrets as artifacts.
Teams affected by this campaign should treat any environment that installed an affected package as fully compromised.
Rotate all secrets immediately from a clean machine, not from the potentially infected host. Rebuild from a known-good lockfile and audit repositories for injected files such as .github/setup.js, _index.js, orphan branches, and unexpected Bun usage in GitHub Actions runs.
Developers should also pin GitHub Actions to full-length commit hashes rather than mutable version tags to prevent tag-based redirection attacks going forward.
Indicators of Compromise (IoCs):-
TypeIndicatorDescriptionSHA-25632d1bc728d8e504952083a6adc488c309a401c7df4dc8f47b382ce32e4aebe21Confirmed LeoPlatform/RStreams set — binding.gypSHA-25657ba86f6f0caaa580c1dccdf4ed7873d1470e5ea2f8e9ca7a989dc04899f13c0leo-logger@1.0.8 — index.jsSHA-2564a0aa78757958683155a7b9289427fb829abcad1bf5ee6399eb73e8409b0bc11leo-logger@1.0.8 — package.jsonSHA-256026588d39b7c650b5c0dfbba6c6fcc0e7ec8e3b72ba8639012e7f71c708f2c3bleo-sdk@6.0.19 — index.jsSHA-256df9ea0c71574e11c93141ad2f018a63a5375cd6d69ca2f744732ad7814170657leo-auth@4.0.6 — index.jsSHA-2561a3b9ed0b377f56f49b9a703612cf45e86ab7d100587e1e7a476d809fe337a8cleo-aws@2.0.4 — index.jsSHA-256f565988f281bf77bcad26ea7f543617e53da4b62f5df63d4f7a89bae1729cf81leo-sdk@6.0.19 — npm tarballSHA-256a934a5bcf692b9d01e8129bf264be23809dfee464df471d75a9f3fa1bcede343leo-auth@4.0.6 — npm tarballSHA-256f7c47be306351ffacd46584d2067f7be676dbfe17cd89ab4880632decfe18f3dleo-aws@2.0.4 — npm tarballSHA-2563da2ca129c9920d9acd2e3477aee8f46b5a5f0e9537ad6e7b6ab1df1007adad1leo-cli@3.0.3 — npm tarballSHA-256b3e217f4354e8a4383038b99b0bcaeaff191a79df58e7a1f2355a79aac2faf13verana-blockchain-v0.10.1-dev.20.zip (Go module)SHA-25615b415ae41df72acf1f7e9e67569531d41dee62d089d34b4c0fab0c7fe5cc14f.claude/index.js (Go repo artifact)SHA-2566cb3fc3650355973b8a1ed86619a3f412fb0700f29c1c3a736cada4c2c76a9f7.claude/setup.mjs and .vscode/setup.mjsSHA-2566a861a479f45fe53f067091414332248bc027ffc396116811d12e57a6ff71250.claude/settings.jsonSHA-256927387d0cfac1118df4b383decc2ea6ba49c9d2f98b47098bcbcba1efc026e1f.vscode/tasks.jsonSHA-2561a0e1daeaea87cab5610a3cc2aa72e7c6f1abfe55959a156368bcfa6585fa6ceDecoded first-stage JavaScriptSHA-256ceff7c51d70832c3ec8dd2744b606a23b3c924ef664ae23439b9b742ea154108Decrypted Bun bootstrap payloadSHA-2569f93d77d32833a515bc406c46da477142bb1ac2babeecb6aa42f98669a6db015Decrypted main Miasma payloadFile Namebinding.gypAdded to packages that previously did not require native build behaviorFile Nameindex.jsReplaced with large single-line obfuscated payloadFile Name.github/setup.jsInjected payload file in poisoned repositoriesFile Name_index.jsSecondary payload file found in GitHub repositoriesFile Name.claude/setup.mjsBun launcher script in poisoned Go source repoFile Name.vscode/tasks.jsonVS Code folder-open task triggering malware executionFile Name.claude/settings.jsonClaude AI agent hook for persistenceFile Name.cursor/rules/setup.mdcCursor IDE hook for persistenceCampaign StringRevokeAndItGoesKaboomOperator dead-drop token in GitHub commitsCampaign StringAlright Lets See If This WorksCampaign marker string found across compromisesCampaign StringTheBeautifulSandsOfTimeCampaign marker stringCampaign StringthebeautifulmarchoftimeCampaign marker stringCampaign StringthebeautifulsnadsoftimeCampaign marker stringPackageleo-logger@1.0.8Malicious LeoPlatform npm packagePackageleo-sdk@6.0.19Malicious LeoPlatform npm packagePackageleo-auth@4.0.6Malicious LeoPlatform npm packagePackageleo-aws@2.0.4Malicious LeoPlatform npm packagePackageleo-cli@3.0.3Malicious LeoPlatform npm packagePackagehexo-deployer-wrangler@1.0.4Malicious npm package published by llxlrPackagehexo-shoka-swiper@0.1.10Malicious npm package published by llxlrPackageprism-silq@1.0.1Malicious npm package published by llxlr
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
The post Miasma Malware Uses binding.gyp and Bun to Execute Hidden Payloads in npm Packages appeared first on Cyber Security News.
