The open-source supply chain is under renewed pressure from Miasma, a self-propagating worm designed to infiltrate developer workflows. The latest wave of attacks targeted the Leo Platform and RStreams ecosystems, poisoning over 20 versions of legitimate npm packages in a coordinated and near-instantaneous strike.
Lightning-Fast Automated Execution
As reported by Microsoft Threat Intelligence, the attack began on June 24 after threat actors compromised an npm maintainer account named "czirker". Leveraging this access, the Miasma operators published malicious updates to more than 20 packages in a fully automated operation that took less than three seconds to complete.Targeting the Cloud Credential Economy
The malware's primary objective is not system disruption, but the theft of high-value assets. Miasma targets developer workstations and CI runners, hunting for:- AWS, Azure, and Google Cloud credentials.
- GitHub personal access tokens.
- Kubernetes secrets and HashiCorp Vault credentials.
- 1Password data and npm publish tokens.
A Growing Supply Chain Threat
Technical analysis suggests Miasma is part of a broader, evolving campaign. According to StepSecurity, the operation has already compromised 57 npm packages across more than 286 versions. Reports from Tenable further indicate that repositories from Red Hat, Vapi.ai, and Microsoft Azure were affected, highlighting a threat model that exploits the identity layer of maintainers.Expanding Beyond Package Installation
Findings from Socket reveal that the campaign has expanded its reach. Obfuscated payloads were discovered in.claude/ directories, alongside Bun launcher scripts and VS Code folder-open tasks. This indicates that the malware can execute as soon as a developer opens a project, turning essential IDE tools into infection vectors.