Full Report
Microsoft says latest attack targets Leo Platform and RStreams packages, harvesting creds and going after more maintainers
Analysis Summary
# Incident Report: Miasma Supply Chain Attack (Leo Platform & RStreams)
## Executive Summary
A highly automated supply chain attack, dubbed "Miasma," compromised over 20 legitimate npm packages associated with the Leo Platform and RStreams ecosystems. The malware functions as a self-propagating worm designed to harvest cloud credentials, developer secrets, and npm publishing rights to further spread malicious updates. The campaign is notable for its speed, executing automated compromises in under three seconds.
## Incident Details
- **Discovery Date:** June 24, 2026
- **Incident Date:** June 24, 2024 (Ongoing campaign)
- **Affected Organization:** Leo Platform, RStreams, and downstream users of affected npm packages.
- **Sector:** Software Development / Technology
- **Geography:** Global
## Timeline of Events
### Initial Access
- **Date/Time:** June 24, 2026 (Late)
- **Vector:** Credential compromise of npm maintainer account "czirker."
- **Details:** Attackers gained access to a legitimate maintainer account to publish poisoned updates to more than 20 packages within a 3-second window.
### Lateral Movement
- The malware attempts to identify other npm packages the victim has permission to maintain. It then automatically republishes those packages with the Miasma payload to move horizontally across the npm ecosystem.
### Data Exfiltration/Impact
- **Credential Harvesting:** Targeted AWS, Azure, Google Cloud, GitHub tokens, Kubernetes secrets, HashiCorp Vault, 1Password data, and npm credentials.
- **Memory Scraping:** Scraped GitHub Actions runner memory.
- **Exfiltration Method:** Stolen data is committed to a GitHub repository created via the victim’s own account.
### Detection & Response
- **Detection:** Identified by Microsoft Threat Intelligence and Sonatype.
- **Response Actions:** Public disclosure by Microsoft; Sonatype provided technical analysis of new evasion techniques. Recommendations issued for credential rotation and cache clearing.
## Attack Methodology
- **Initial Access:** Valid Account (npm maintainer compromise).
- **Persistence:** Poisoned dependencies in legitimate software supply chains.
- **Privilege Escalation:** Bypass of npm 2FA during the automated republishing phase.
- **Defense Evasion:** Use of the Bun JavaScript runtime (instead of Node.js) to evade signature-based detection; removal of traditional installation hooks in favor of hidden payload execution.
- **Credential Access:** Scraping memory and searching local files for cloud, vault, and git secrets.
- **Discovery:** Identifying maintainer permissions for other npm packages.
- **Lateral Movement:** Self-propagation via automated package updates.
- **Collection:** Automated searching of developer workstations and CI runners.
- **Exfiltration:** Transferring data to a "dead drop" GitHub repository under the victim's name.
- **Impact:** Compromise of internal CI/CD pipelines and downstream user environments.
## Impact Assessment
- **Financial:** High potential cost related to credential rotation and remediation of cloud environments.
- **Data Breach:** Massive theft of high-privilege developer secrets and infrastructure credentials.
- **Operational:** Disruption to CI/CD pipelines and software delivery for Leo Platform and RStreams users.
- **Reputational:** Significant impact on trust within the npm ecosystem and the affected platforms.
## Indicators of Compromise
- **Network:** Monitoring for unusual commits to newly created GitHub repositories by internal accounts; connections to hxxps[://]github[.]com for data exfiltration.
- **File:** Presence of the Bun runtime in unexpected CI/CD environments; malicious versions of Leo Platform/RStreams npm packages.
- **Behavioral:** Automated npm publishing occurring outside of standard CI/CD schedules/parameters.
## Response Actions
- **Containment:** Removal of poisoned package versions from the npm registry.
- **Eradication:** Clearing local build caches, dependency lockfiles, and container images.
- **Recovery:** Full rotation of all secrets potentially touched by the malware (AWS, Azure, GCP, GitHub, npm, Vault).
## Lessons Learned
- **Automation Advantage:** Attackers can now execute a full compromise chain in seconds, necessitating automated defensive responses.
- **2FA Limitation:** Standard 2FA can sometimes be bypassed or sidestepped if session tokens or publishing rights are compromised directly.
- **Evasion Evolution:** Attackers are moving away from common Node.js hooks toward alternative runtimes like Bun to bypass traditional scanning.
## Recommendations
- **Secret Management:** Implement short-lived credentials and OIDC for CI/CD runners to minimize the value of stolen tokens.
- **Integrity Checks:** Use dependency pinning and hash verification (e.g., `package-lock.json` integrity) to prevent automatic updates to poisoned versions.
- **Monitoring:** Implement anomaly detection for npm publishing activity and monitor for "secret-like" data leaving the network via Git commits.
- **Runtime Security:** Monitor for unauthorized execution of runtimes (like Bun) in environments where they are not standard.