349/69 Monday, June 29, 2026
Microsoft has detected a malware campaign named Miasma, a supply chain worm capable of self-propagation. The latest activity involved malicious code embedded in more than 20 versions of npm packages used in the Leo Platform and RStreams ecosystems. According to Microsoft Threat Intelligence, the attack began on the evening of June 24, when threat actors compromised an npm package maintainer account named czirker and used it in an automated workflow to update all malicious packages in less than three seconds. The incident directly affected software development environments and continuous integration runners.
The latest version of Miasma is designed to search for and collect cloud access credentials, including those for AWS, Azure, and Google Cloud, as well as GitHub Personal Access Tokens, Kubernetes secrets, HashiCorp Vault data, 1Password data, and npm publishing credentials. The malware can also extract data from the memory of GitHub Actions runners and exfiltrate stolen information to newly created GitHub repositories through the victim’s account, instead of sending it to a traditional command-and-control server. Security firm Sonatype stated that the malware has evolved technically by moving away from traditional npm installation hooks and hiding malicious code in other parts of the installation process. It also downloads and runs the Bun JavaScript runtime instead of Node.js to evade detection by security software. In addition, it attempts to republish packages that the victim is authorized to maintain in order to bypass npm two-factor authentication and further expand its spread.
For prevention and risk mitigation, Microsoft has advised organizations that installed affected package versions to initially assume that developer workstations and CI environments may have been accessed without authorization. Sonatype also recommends that administrators and developers inspect dependency lockfiles, internal package mirrors, build caches, container images, and CI runners to identify and remove any remaining malicious files before rotating passwords and access credentials. If credentials are rotated before the malware is fully removed from the environment, threat actors may be able to steal the new credentials again.