malware
npm
leo-sdk
discovered 2026-06-24LeoPlatform package infected by Miasma worm. High traffic target (1,830 weekly downloads). Also referenced in GitHub Actions workflow OIDC_PACKAGES env var.
Threat types
worm credential_stealer data_exfiltration
Malicious versions
- 6.0.19
Campaigns
Indicators
- sha256 ceff7c51d70832c3ec8dd2744b606a23b3c924ef664ae23439b9b742ea154108drops
- sha256 9f93d77d32833a515bc406c46da477142bb1ac2babeecb6aa42f98669a6db015drops
- url https://github.com/oven-sh/bun/releases/download/bun-v1.3.13/communicates-with
- github_repo LeoPlatform/Nodejsexfiltrates-to
- github_repo LeoPlatform/auth-sdkexfiltrates-to
- github_repo LeoPlatform/Leoexfiltrates-to
Techniques
- ttp T1195.001 Supply Chain Compromise: Compromise Software Dependencies and Development Toolsuses
- ttp Phantom Gyp binding.gyp Abuseuses
- ttp T1027 Obfuscated Files or Informationuses
- ttp T1105 Ingress Tool Transferuses
- ttp T1528 Steal Application Access Tokenuses
- ttp T1567.001 Exfiltration to Code Repositoryuses
- ttp Self-Propagation via Trusted Publishing Wormuses
- ttp T1036 Masqueradinguses