Executive Summary
The Miasma malware campaign represents a critical escalation in supply chain attacks targeting the JavaScript ecosystem, specifically npm packages and GitHub Actions. First observed in June 2026, this campaign leverages a novel "Phantom Gyp" technique to bypass traditional install-script security controls, enabling the deployment of a self-propagating worm. The attack chain results in credential theft, CI/CD persistence, and cross-ecosystem propagation, with exfiltration and command-and-control (C2) operations conducted via GitHub repositories. Over 57 npm packages, including widely used libraries such as @vapi-ai/server-sdk and ai-sdk-ollama, were compromised, impacting thousands of downstream projects and organizations globally. The campaign demonstrates advanced technical sophistication, including multi-stage payload obfuscation, runtime environment detection, and the poisoning of AI coding assistants for persistent access.
Threat Actor Profile
Attribution for the Miasma campaign remains unconfirmed, though the operation exhibits hallmarks of a highly skilled, possibly state-sponsored or advanced persistent threat (APT) group. The attackers employ automated tooling for cross-ecosystem propagation, leveraging social engineering in repository descriptions and commit messages. The use of Dune-themed references such as "Shai-Hulud" and "Miasma - The Spreading Blight" in C2 infrastructure suggests a continuity with previous npm supply chain attacks, but no direct links to known threat groups have been established. The actor demonstrates deep familiarity with the npm and GitHub Actions ecosystems, as well as with modern CI/CD and cloud credential management practices.
Technical Analysis of Malware/TTPs
The Miasma malware employs a multi-stage infection chain, beginning with the insertion of a malicious binding.gyp file into npm package tarballs. This file triggers the node-gyp rebuild process during npm install, executing a heavily obfuscated index.js payload via shell command substitution. Unlike traditional install-script attacks, this method evades most security scanners and static analysis tools.
The initial payload is encoded using a ROT-N Caesar cipher and executed via eval(). It then decrypts two AES-128-GCM encrypted blobs: a loader for the Bun JavaScript runtime and the main malware component. The loader fetches and executes Bun from GitHub, allowing the malware to evade Node.js-based monitoring and execute in a less scrutinized environment.
The main malware module performs extensive credential harvesting, targeting AWS, GCP, Azure, HashiCorp Vault, GitHub Actions, 1Password, gopass, and pass. It reads environment variables, queries cloud metadata endpoints, and scrapes process memory (e.g., /proc/<pid>/mem) to extract secrets, including those masked by GitHub Actions. The malware also leverages gh auth token and direct memory access to bypass secret masking.
A unique aspect of Miasma is its poisoning of AI coding assistants and IDEs. The malware injects files such as .claude/setup.mjs, .cursor/rules/setup.mdc, .gemini/settings.json, .vscode/tasks.json, and .github/setup.js into victim repositories. These files are executed by AI assistants or IDEs, providing persistent access and facilitating further compromise.
For propagation, the worm uses stolen credentials to enumerate and republish all npm packages maintained by compromised accounts, forging Sigstore/SLSA provenance. It employs similar techniques for RubyGems and creates new private repositories under the attacker's GitHub account (liuende501) for exfiltration.
C2 and exfiltration are conducted via GitHub repositories, with encrypted JSON blobs containing stolen credentials uploaded to attacker-controlled repos. The malware beacons by searching for specific commit keywords such as thebeautifulmarchoftime and uses obfuscated repo descriptions for operational signaling.
Exploitation in the Wild
The Miasma campaign has been observed actively exploiting compromised maintainer accounts to publish malicious package versions in rapid succession. The worm leverages stolen credentials to infect all packages associated with compromised accounts and attempts to propagate to other ecosystems, including RubyGems and PyPI. Stolen secrets are exfiltrated to attacker-controlled GitHub repositories, and AI assistant configuration files are injected into victim repositories to establish long-term persistence and facilitate code poisoning. The campaign has resulted in the takedown of at least 73 repositories and the compromise of 37 PyPI packages, with significant impact on organizations relying on affected npm packages and CI/CD pipelines.
Victimology and Targeting
The Miasma campaign targets a broad spectrum of organizations and individuals involved in software development, cloud infrastructure management, and CI/CD operations. Victims include maintainers and users of npm packages, organizations leveraging GitHub Actions for CI/CD, and entities utilizing cloud services such as AWS, GCP, and Azure. The attack is global in scope, with no specific country targeting observed. Any organization or individual installing affected npm packages or using compromised CI/CD pipelines is at risk of credential theft, supply chain compromise, and persistent backdoor access via AI coding assistants.
Mitigation and Countermeasures
Organizations are strongly advised to conduct immediate audits for indicators of compromise (IOCs), including the presence of suspicious binding.gyp files, oversized root index.js files not referenced as package mains, and anomalous process trees involving node-gyp and Bun. All credentials associated with npm, GitHub, cloud providers, and HashiCorp Vault should be rotated if affected packages were installed. Review all GitHub repositories for injected AI assistant configuration files and unexpected commits from automated tokens. Block outbound access to attacker-controlled GitHub repositories (e.g., github.com/liuende501) and Bun download URLs at the network perimeter. Enforce package integrity checks, restrict CI/CD permissions, and monitor for unauthorized package publishes in npm and RubyGems audit logs. Harden CI/CD environments by limiting the execution of untrusted code and monitoring for anomalous network activity during package installation.
References
StepSecurity: Miasma npm Supply Chain Attack: Self-Spreading Worm via Phantom Gyp – https://www.stepsecurity.io/blog/binding-gyp-npm-supply-chain-attack-spreads-like-worm
The Hacker News: Miasma Malware Targets npm Packages and GitHub Actions – https://thehackernews.com/2026/06/miasma-malware-targets-npm-packages-and.html
Upwind: Miasma npm Worm: RedHat Supply Chain Credential Theft – https://www.upwind.io/feed/miasma-npm-supply-chain-worm-redhat-credential-harvest
Reddit: Miasma supply chain attack toolkit leak – https://www.reddit.com/r/programming/comments/1u1512l/someone_actually_leaked_the_miasma_supply_chain/
HeroDevs: Miasma npm Worm Steals Cloud Creds and Hijacks CI/CD – https://www.herodevs.com/blog-posts/miasma-npm-worm-steals-cloud-creds-and-hijacks-ci-cd
Cloud Security Alliance: Miasma: Red Hat npm Supply Chain Worm – https://labs.cloudsecurityalliance.org/research/csa-research-note-miasma-npm-supply-chain-redhat-20260603-cs/
Unit 42: The npm Threat Landscape – https://unit42.paloaltonetworks.com/monitoring-npm-supply-chain-attacks/
Phoenix Security: Miasma Supply Chain Attack: Azure Hit, 73 Repos Down, 37 PyPI – https://phoenix.security/miasma-azure-hades-pypi-supply-chain-worm-2026/
About Rescana
Rescana is a leader in third-party risk management (TPRM), providing organizations with a comprehensive platform to continuously monitor, assess, and mitigate cyber risks across their supply chain. Our advanced analytics and threat intelligence capabilities empower security teams to proactively identify vulnerabilities and respond to emerging threats. For more information or to discuss how Rescana can help secure your organization’s digital ecosystem, please contact us at info@rescana.com.
