Miasma Malware Campaign Uses binding.gyp and Bun to Hide Payloads in npm Packages
A supply-chain attack campaign named Miasma has been discovered hiding malicious payloads in over 20 npm packages, using a binding.gyp file and the Bun runtime to steal developer credentials and cloud secrets.
Supply chain attackers are getting more creative, and the latest threat is proof of that. A malware campaign known as Miasma has been caught hiding inside widely used npm packages, using a clever mix of tools and techniques to stay hidden while stealing sensitive developer credentials. The attack involves packages tied to the LeoPlatform and RStreams ecosystems, which are used in data pipeline and cloud integration workflows. Malicious versions of over 20 npm packages were published within a tight window on June 24, 2026, catching many developers off guard.
The scope of the attack is wider than it first appears, with additional infected packages published under a separate npm user account named llxlr. Researchers at Socket.dev said in a report shared with Cyber Security News that this campaign is part of a broader threat cluster also connected to related malware families called Mini Shai-Hulud and Hades. The team has been tracking the family across multiple waves, noting that its techniques grow more layered and harder to detect with each new release.
What makes this wave particularly concerning is how far the damage can spread. The malware does not just sit inside an infected package. Once it runs, it hunts for credentials, tokens, configuration files, and AI coding tool settings, then uses what it finds to poison other repositories and developer workflows. The campaign also expands beyond npm. Socket researchers found the same payload family inside a Go module linked to the Verana Blockchain project, showing that the attackers are not limiting themselves to a single package ecosystem.
The infection begins at the moment a developer installs a package. Instead of using a visible install script in package.json, the attackers added a file called binding.gyp to each malicious package. When npm sees this file, it automatically runs node-gyp, a native build tool. The attackers exploit this behavior to trigger code execution without raising the red flags that a traditional install script would. Once triggered, the malicious index.js file springs into action. It is a large, heavily scrambled single-line JavaScript loader that uses a Caesar-style letter shift and AES-GCM encryption to hide its real purpose. When decoded, it delivers a final payload built to run through Bun, a fast JavaScript runtime. If Bun is not already installed on the machine, the malware downloads and installs it. Many security tools do not watch Bun execution the same way they monitor Node.js, which helps the malware avoid detection.
The payload targets a wide range of sensitive data. It collects environment files, npm and PyPI tokens, GitHub tokens, Slack and Twilio tokens, SSH keys, Kubernetes configs, AWS and Azure credentials, Docker authentication files, CI secrets, and settings tied to AI coding assistants like Claude, Cursor, and Gemini. The malware also checks for popular security tools like CrowdStrike and SentinelOne, and includes a Russian locale guard that stops execution on Russian-language systems. GitHub Actions is a key target, as the malware hunts for workflows that publish packages or hold registry tokens, pulling secrets from the runner environment and using GitHub's own API to exfiltrate stolen data. A recurring fake workflow named "Run Copilot" is designed to blend in with normal AI-assisted development activity while quietly uploading stolen secrets as artifacts.
Teams affected by this campaign should treat any environment that installed an affected package as fully compromised. Rotate all secrets immediately from a clean machine, not from the potentially infected host. Rebuild from a known-good lockfile and audit repositories for injected files such as .github/setup.js, _index.js, orphan branches, and unexpected Bun usage in GitHub Actions runs. Developers should also pin GitHub Actions to full-length commit hashes rather than mutable version tags to prevent tag-based redirection attacks going forward.
The campaign has now expanded to target the LeoPlatform and RStreams npm packages, along with a Go module compromise in the Verana Blockchain project, and now abuses GitHub Actions workflows to steal CI/CD secrets. A new GitHub dead-drop resolver string, "RevokeAndItGoesKaboom," was observed, and attackers force-pushed a malicious commit to the codfish/semantic-release-action GitHub Action on June 24, 2026, redirecting version tags to execute payloads that steal OIDC tokens and propagate backdoors. The malware also polls GitHub hourly for commits matching the string "firedalazer" to retrieve and execute the Hades variant.
The campaign expanded on June 24 when attackers compromised the npm maintainer account 'czirker' and published malicious updates to over 20 packages in the Leo Platform and RStreams ecosystems in under three seconds, according to Microsoft Threat Intelligence. Sonatype reports this variant hides its payload differently from earlier Miasma versions, which relied on npm installation hooks, and now downloads the Bun JavaScript runtime instead of Node.js to evade detection. The malware also scrapes GitHub Actions runner memory and commits stolen data to a repository created through the victim's account, bypassing traditional C2 infrastructure.