Miasma Malware Uses binding.gyp and Bun to Hide Payloads in npm Packages

A new Miasma malware wave is abusing binding.gyp files and the Bun JavaScript runtime to execute hidden payloads inside npm packages. The attack affects packages tied to the LeoPlatform and RStreams ecosystems, which developers use in data pipeline, cloud integration, serverless, and connector workflows.

Researchers at Socket said the latest activity is linked to the Mini Shai-Hulud, Miasma, and Hades malware family. The campaign targets developer machines, CI/CD runners, GitHub Actions workflows, and AI coding tool configuration files.

StepSecurity separately reported that 20 LeoPlatform packages were republished in a coordinated burst on June 24, 2026. Socket’s wider package set includes 23 affected npm versions after adding RStreams, serverless, solo-nav, and packages published by another npm user.

How the Miasma npm attack works

The attack starts when a developer or CI system installs a compromised package. Instead of relying on a visible preinstall or postinstall script in package.json, the attackers added a malicious binding.gyp file.

This matters because npm can invoke node-gyp when it sees a binding.gyp file. Snyk described this technique in the wider Miasma campaign as a way to run code during installation without the obvious lifecycle scripts many tools already monitor.

In the new LeoPlatform wave, the binding.gyp trigger runs a replaced index.js file. That file is no longer normal library code. It is a large, obfuscated JavaScript loader designed to decode and run additional malware.

Stage	What happens	Why it helps attackers
Install	npm sees binding.gyp	Execution starts without a visible install script
Build configuration	node-gyp runs command expansion	The package looks like a native build step
Loader	index.js decodes hidden JavaScript	Static analysis becomes harder
Runtime	The payload uses Bun	Node-focused defenses may miss execution
Impact	Secrets are stolen and repositories are poisoned	The attack can spread through developer workflows

Why Bun makes this campaign harder to spot

The loader uses ROT-style decoding, AES-GCM encrypted blobs, and runtime reconstruction to hide its real behavior. After the first stage runs, the malware resolves or installs Bun and then launches the main payload through it.

Bun itself is a legitimate JavaScript runtime. The problem is that many security tools and monitoring rules focus heavily on Node.js execution, npm lifecycle scripts, and common shell patterns. By moving later stages into Bun, the attackers try to reduce visibility.

The payload is built to steal credentials from the places developers use every day. It targets package registries, cloud services, GitHub, CI/CD systems, Docker, Kubernetes, SSH keys, and configuration files used by AI coding assistants.

Affected npm packages include LeoPlatform and RStreams

The latest wave affected packages used across data and serverless workflows. Socket lists affected versions including [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], and [email protected].

The package set also includes [email protected], [email protected], and [email protected], which Socket says were published by the npm user llxlr. This shows the campaign was not limited to one publisher account.

StepSecurity’s analysis found that the 20 LeoPlatform packages alone receive about 13,600 downloads per week. That download volume raises the risk for CI runners, automated builds, and developer systems that update dependencies quickly.

What Miasma tries to steal

The current Miasma payload hunts for sensitive files and tokens across developer and build environments. Its goal is not only to steal data, but also to reuse stolen access to spread into other repositories and package ecosystems.

• .env files and local configuration files
• npm, PyPI, RubyGems, and GitHub tokens
• AWS, Azure, GCP, Vault, Kubernetes, and Docker credentials
• SSH keys and shell history
• Slack and Twilio tokens
• GitHub Actions secrets and runner context data
• Claude, Cursor, Gemini, VS Code, and Copilot-related configuration paths

The malware also checks for security products, including common endpoint detection tools. Like earlier Miasma activity, researchers observed a Russian locale guard that can stop execution on systems configured for Russian-language environments.

GitHub Actions and AI coding tools are major targets

Miasma heavily targets GitHub Actions because build workflows often hold publishing tokens, cloud credentials, and OIDC permissions. The malware searches for workflows that publish packages or interact with registries, then attempts to steal secrets from the runner environment.

One recurring fake workflow name is Run Copilot. The name is designed to blend into AI-assisted development activity, but the workflow can quietly upload stolen secrets as artifacts.

The campaign also plants hooks for coding tools and editors. Socket’s report says the malware targets Claude, VS Code, Cursor, Gemini, and Copilot-related configuration paths so poisoned repositories can trigger later execution when developers open or use them.

The campaign has moved beyond npm

Socket also found a related payload family in a Go source archive linked to the Verana Blockchain project. The important detail is that this Go case does not execute through normal Go module resolution or Go build logic.

Instead, the risk comes from source-repository execution. A developer who clones the repository and opens it in a trusted editor or AI coding environment could trigger the payload through configuration files.

That change shows why defenders need to inspect repositories, not only package manifests. Malicious workflows, IDE tasks, AI-agent hooks, and hidden setup scripts can survive after a bad npm version has been removed.

Key indicators teams should check

Indicator type	Example	Why it matters
File	binding.gyp	Added to packages that previously did not need native build behavior
File	index.js	Replaced with a large one-line obfuscated loader
Repository file	.github/setup.js	Injected payload file in poisoned repositories
Repository file	_index.js	Secondary payload seen in GitHub repositories
AI tool hook	.claude/setup.mjs	Used to trigger malware through developer tooling
Editor task	.vscode/tasks.json	Can trigger execution when a folder opens
Campaign string	RevokeAndItGoesKaboom	Links related Miasma and GitHub Actions activity

Security teams should also look for unexpected Bun downloads, unusual node-gyp rebuild activity in pure JavaScript packages, new orphan branches, suspicious Dependabot-like commits, and GitHub API content uploads from build runners.

What affected developers should do now

Teams that installed an affected package should treat the environment as compromised until they complete a review. Removing the package alone is not enough because stolen credentials may already have been used elsewhere.

1. Identify every developer machine, CI runner, and build container that installed an affected version.
2. Preserve logs and forensic artifacts before cleanup where possible.
3. Remove malicious versions and rebuild from a known-good lockfile.
4. Rotate npm, GitHub, PyPI, RubyGems, cloud, Vault, Kubernetes, Docker, SSH, Slack, Twilio, and CI/CD secrets.
5. Rotate credentials from a clean machine, not from the potentially infected host.
6. Audit repositories for .github/setup.js, _index.js, AI-agent hooks, suspicious workflows, and unexplained Bun usage.
7. Review GitHub Actions runs for artifact uploads, Bun downloads, new repositories, and unusual content-upload API calls.

The wider Snyk analysis recommends using known-good versions, checking for suspicious binding.gyp behavior, and treating exposed credentials as unsafe. That advice also applies to the newer LeoPlatform and RStreams wave.

How to reduce future supply chain risk

Developers should review dependency changes before merging automated updates. A package that suddenly adds binding.gyp, Bun usage, oversized index.js files, or new AI-tool configuration files deserves extra scrutiny.

GitHub recommends pinning third-party Actions to full-length commit SHAs in its secure use guidance. This helps prevent a workflow from automatically following a malicious tag or branch update after an action maintainer account is compromised.

Organizations should also restrict npm publishing tokens, limit GitHub Actions permissions, and review OIDC trust settings. GitHub’s Actions security documentation is a useful baseline for reducing the impact of compromised workflows.

Security teams should add Bun visibility to endpoint and CI monitoring, especially in environments where Bun is not normally used. The official Bun documentation can help defenders understand normal runtime paths, commands, and install behavior before writing detection rules.

The Miasma campaign shows how modern supply chain malware now targets the full developer workflow. Package installs, CI jobs, repository settings, editor tasks, and coding assistant hooks all need monitoring because attackers can move between them quickly.

FAQ