Researchers identified a supply chain attack involving Miasma malware targeting multiple npm packages and GitHub Actions. The attack compromises developer credentials to propagate malware across various software ecosystems, posing significant security risks.
Cybersecurity researchers have reported a new evolution of the supply chain attack linked to the Miasma, Mini Shai-Hulud, and Hades malware families. This attack specifically compromises npm packages and GitHub Actions, with the goal of harvesting developer credentials and spreading malware through package registries and repositories.
The following npm packages have been identified as compromised:
- hexo-deployer-wrangler@1.0.4
- hexo-shoka-swiper@0.1.10
- leo-auth@4.0.6
- leo-aws@2.0.4
- leo-cache@1.0.2
- leo-cdk-lib@0.0.2
- leo-cli@3.0.3
- leo-config@1.1.1
- leo-connector-elasticsearch@2.0.6
- leo-connector-mongo@3.0.8
- leo-connector-mysql@3.0.3
- leo-connector-oracle@2.0.1
- leo-connector-redshift@3.0.6
- leo-cron@2.0.2
- leo-logger@1.0.8
- leo-sdk@6.0.19
- leo-streams@2.0.1
- prism-silq@1.0.1
- rstreams-metrics@2.0.2
- rstreams-shard-util@1.0.1
- serverless-convention@2.0.4
- serverless-leo@3.0.14
- solo-nav@1.0.1
- github.com/verana-labs/verana-blockchain@v0.10.1-dev.20 (Go)
The attackers likely breached the npm developer account associated with LeoPlatform, exploiting leaked credentials. By leveraging this access, they deployed trojanized versions of packages within a rapid timeframe. The attack employs techniques such as npm registry poisoning and malicious code execution through binding.gyp files.
The malicious packages are designed to install a JavaScript loader that downloads the Bun runtime if it is not already present. This loader then triggers the main payload, which steals credentials and tokens. The malware includes features like a Russian locale killswitch and checks for endpoint security software.
This attack highlights the ongoing vulnerabilities in package management systems and emphasizes the need for stricter credential management practices among developers. Developers are urged to review their npm accounts and be aware of potential vulnerabilities in their workflows.
β¨ This summary was generated by AI from the outlets' reporting listed below. It is not independently verified and may contain errors β check the original sources. How BrevFeed works β
Researchers identified a supply chain attack involving Miasma malware targeting multiple npm packages and GitHub Actions. The attack compromises developer credentials to propagate malware across various software ecosystems, posing significant security risks.