ProBackend
ai cybersecurity threats
1 hour ago5 min read

Miasma Campaign Automates Credential Theft via Leo Platform and RStreams npm Packages

The latest wave of the Miasma supply chain attack has targeted npm packages in the Leo Platform and RStreams ecosystems, leveraging compromised maintainer accounts to automate the theft of developer and CI/CD secrets.

The Miasma Campaign's Latest Evolution

The Miasma supply chain worm has evolved once again, this time targeting the Leo Platform and RStreams ecosystems. This isn't your typical supply chain attack—it's a fully automated, lightning-fast operation that compromised over 20 npm packages in under three seconds. The attackers didn't just exploit vulnerabilities; they hijacked a maintainer's account, czirker, to turn legitimate packages into trojan horses.

What makes this wave particularly insidious is its focus on credential harvesting. We're not talking about run-of-the-mill password stealing here. The malware is designed to vacuum up AWS keys, Azure tokens, GitHub Personal Access Tokens, Kubernetes secrets—you name it. If it's a secret developers use, Miasma wants it. And it's not just going after individual developers; it's targeting CI/CD pipelines, where credentials often have elevated permissions across entire organizations.

The Miasma Campaign's Latest Evolution

How Miasma Operates: A Technical Breakdown

The technical sophistication of this campaign is what really sets it apart. First, there's the delivery mechanism: compromised npm packages. Developers install what they think is a legitimate dependency, and boom—they've just invited Miasma into their environment.

But here's where it gets clever. Instead of using traditional command-and-control servers that security tools might detect, Miasma exfiltrates stolen data by committing it directly to a new GitHub repository on the victim's own account. It's like a burglar using your own car to haul away your stolen goods—right under the nose of security cameras.

The malware has also evolved its execution environment. It now uses the Bun JavaScript runtime instead of Node.js. Why? Because many security tools are optimized to detect malicious activity in Node.js environments. By switching to Bun, the attackers are trying to slip past defenses that aren't looking for threats in this newer runtime.

And let's talk about persistence. Miasma doesn't just want to steal your credentials once—it wants to keep coming back. It attempts to maintain access by hijacking the victim's maintainer rights, even going so far as to circumvent two-factor authentication. This isn't just a smash-and-grab operation; it's a long-term occupation.

How Miasma Operates: A Technical Breakdown

The Scope of the Compromise

The speed and scale of this attack are staggering. Over 20 packages were poisoned in what amounts to the blink of an eye in cybersecurity terms—under three seconds. This isn't some manual operation where attackers carefully target each package; it's a fully automated system that can compromise multiple packages simultaneously.

The implications are severe. Any organization that has installed these affected versions needs to assume their developer machines and CI environments are compromised. This isn't just about the initial breach—it's about what the attackers can do with the credentials they've stolen. We're potentially looking at lateral movement across cloud environments, access to proprietary code repositories, and even the ability to sign malicious code updates that would appear legitimate to other developers.

Perhaps most worrying is how this attack exploits the trust inherent in open-source ecosystems. Developers rely on package maintainers to vet what goes into the packages they depend on. When maintainer accounts get compromised, that entire trust chain breaks down.

Mitigation Strategies: What You Need to Do Now

If your organization has been using the affected packages, time is of the essence. Here's what you need to do immediately:

  1. Rotate all affected secrets: This isn't just about the credentials you know were exposed. Assume any secret that could have been accessed needs to be rotated. That means AWS keys, Azure tokens, GitHub PATs, Kubernetes secrets—everything.

  2. Inspect your build environment: Don't just stop at rotating credentials. You need to thoroughly inspect your build caches, container images, and dependency lockfiles for any residual malicious code. Miasma is designed to persist, so you need to be just as thorough in rooting it out.

  3. Review maintainer account security: If you're a package maintainer, now is the time to review your account security. Enable 2FA if you haven't already, and consider using hardware security keys for an extra layer of protection.

  4. Monitor for unusual activity: Watch for any unusual GitHub repository creation or commits from your accounts. Remember, Miasma exfiltrates data by creating new repositories, so this could be your first sign of compromise.

  5. Consider your supply chain security: This attack highlights the vulnerabilities in modern software supply chains. It's worth reviewing your organization's approach to supply chain security and considering tools that can help detect compromised dependencies before they make it into your environment.

The Bigger Picture: Supply Chain Security in Crisis

The Miasma campaign is just the latest in a growing wave of sophisticated supply chain attacks. What makes it particularly concerning is how it automates and scales the attack process. We're no longer looking at targeted attacks that require significant manual effort from attackers; we're seeing attacks that can compromise dozens of packages in seconds.

This represents a fundamental shift in the threat landscape. The open-source ecosystem that modern software development depends on is built on trust—trust that maintainers are who they say they are, trust that packages contain what they claim to contain. When that trust is broken at scale, it undermines the entire foundation of modern software development.

The industry needs to respond accordingly. This isn't just about better security practices for individual developers or organizations; it's about rethinking how we secure the entire software supply chain. From better identity verification for maintainers to more sophisticated package scanning tools, we need solutions that can keep pace with the evolving threat landscape.

One thing is clear: the Miasma campaign should be a wake-up call for anyone involved in software development. The supply chain attacks aren't coming—they're already here, and they're getting more sophisticated by the day.

More blogs