← Back to blog

Miasma Malware Expands Supply Chain Attack Across npm and Go Ecosystems

Researchers have identified new malicious npm packages and GitHub Actions abuse linked to the Miasma malware family, targeting LeoPlatform and RStreams. The ongoing campaign demonstrates how attackers continue to exploit open-source dependencies and CI/CD workflows to compromise downstream users.

TL;DR

  • Miasma malware family compromised additional npm packages including LeoPlatform and RStreams
  • Attackers abused GitHub Actions workflows to expand their supply chain attack surface
  • Campaign also propagated to Go ecosystem, broadening threat scope beyond JavaScript
  • Supply chain attacks remain a critical risk for development teams relying on third-party dependencies

The Miasma malware family, previously linked to the Mini Shai-Hulud and Hades campaigns, has launched a fresh round of supply chain attacks targeting the npm ecosystem and GitHub Actions workflows. Security researchers have identified malicious releases in popular packages used by development teams, signaling an evolution in how threat actors are exploiting open-source infrastructure.

This campaign underscores the persistent vulnerability of software supply chains, where a single compromised dependency can cascade across thousands of downstream projects. The attackers' use of GitHub Actions abuse adds a new dimension to the threat, allowing them to potentially inject malicious code directly into CI/CD pipelines.

Development teams and security leaders must reassess their dependency management and workflow security practices to mitigate exposure to these evolving threats.

Attack Scope and Affected Packages

  • Malicious npm releases identified in LeoPlatform and RStreams packages
  • GitHub Actions workflows abused to propagate malware and maintain persistence
  • Campaign extends beyond npm into the Go ecosystem, indicating multi-language targeting strategy
  • Attackers leveraging legitimate package repositories to distribute compromised code

Supply Chain Risk and Mitigation Strategies

  • Development teams should implement strict dependency verification and pinning practices
  • Monitor GitHub Actions workflows for unauthorized or suspicious activity
  • Conduct security audits of third-party packages, especially those with infrequent updates
  • Use software composition analysis (SCA) tools to detect known malicious packages
  • Establish incident response procedures for compromised dependencies in production environments

Sources

Sources

Security email updates

One digest email when we publish new security articles (TL;DR plus links to read more). Unsubscribe anytime from the message footer. See our Privacy Policy.

Miasma Malware Expands Supply Chain Attack Across npm and Go Ecosystems — Agent Breach Blog | Agent Breach