Miasma: The Malware Turning npm Into a Developer Trap

On June 1, 2026, Red Hat's npm packages began delivering a hidden payload inside a 157-byte file. By June 24, the Miasma campaign had compromised at least 109 packages, surpassed half a million infected monthly downloads, and demonstrated that the entire development environment — not just the package manager — has become an attack surface. The decisive technical novelty: Phantom Gyp, a technique that executes arbitrary code during npm install without declaring any script in package.json, rendering the payload invisible to standard monitoring tools.

Phantom Gyp: The Invisible Install

The technical core of the campaign resides in a 157-byte binding.gyp file. According to StepSecurity, the file contains the line <!(node index.js > /dev/null 2>&1 && echo stub.c) in the sources array. The <! syntax triggers node-gyp's command substitution: during the build phase, the system executes node index.js and hides its output, then proceeds with installation without visible signals.

The associated package.json declares no scripts field. This architectural detail is decisive: tools that block or log postinstall, preinstall, and install scripts — the standard defense against malicious npm packages — detect no anomaly. The code executes in a build phase that most organizations do not monitor with the same attention reserved for lifecycle scripts.

"Any package that ships a binding.gyp without C++ sources and without a .node output should be considered suspicious." — StepSecurity

Harden-Runner telemetry captures the full sequence: curl downloads bun-v1.3.13/bun-linux-x64-baseline.zip from GitHub releases, unzip extracts it, and bun executes the payload within a second. The Bun runtime, designed for Node.js compatibility but with a different engine, evades Node-based checks and detection rules specific to the traditional JavaScript ecosystem.

Runner Memory as a Secret Goldmine

Once active, the payload does not merely collect environment variables or build logs. According to StepSecurity's analysis, the malware identifies the GitHub Actions Runner.Worker process, obtains its PID, and reads /proc/{pid}/mem directly with elevated privileges via sudo. From this read it extracts values marked as secrets in the workflow — those that GitHub Actions masks in logs with the *** syntax — completely bypassing the log-masking mechanism.

The collected materials are encrypted and transmitted via authenticated GitHub API calls. The attacker needs no dedicated C2 infrastructure: they create public repositories with descriptions like "Miasma: The Spreading Blight" or the reverse of "Shai-Hulud: Here We Go Again", and upload data using the victim's tokens. StepSecurity identified 236 repositories on the account liuende501 used as dead drops for credentials, while The Hacker News reports 559 public repositories with the description "Alright Lets See If This Works".

This exfiltration architecture presents a fundamental detection problem. Traffic to api.github.com is legitimate by definition in a CI/CD environment: network detection tools do not flag anomalies, and the compromise manifests only when the token is reused for unauthorized actions.

Red Hat: When Provenance Is the Trap

On June 1, the campaign struck the npm account @redhat-cloud-services with 32 packages averaging roughly 80,000 weekly downloads. According to Wiz, initial access occurred via a compromised Red Hat employee GitHub account, used to push orphan commits that bypassed code review. The packages were published with valid SLSA attestations: the compromised build pipeline generated technically correct provenance, making verification of the compromise impossible based solely on supply-chain metadata.

The payload in this wave reached 4.29 MB — a 25-fold increase over the original ~200 KB file — with four layers of obfuscation. According to Unit 42's analysis, this approach reflects a strategy of "changing indicators the bare minimum to make signature-based detections less effective."

On June 3, a second wave compromised 57 packages across 286 malicious versions, with a total duration under two hours. Among them, @vapi-ai/server-sdk with over 408,000 monthly downloads. On June 24, 20 LeoPlatform packages were published in a coordinated 3-second window at 23:04:55 UTC, with combined weekly downloads of roughly 13,600. StepSecurity verified the toolkit is byte-for-byte identical to the June 3 version: same binding.gyp, same Bun download URL, same 907-byte downloader blob.

From Code to IDE: Expansion Beyond npm

The campaign has breached the boundaries of the npm ecosystem via two distinct vectors. The Go module github.com/verana-labs/verana-blockchain@v0.10.1-dev.20 does not use binding.gyp — irrelevant for Go — but instead includes configuration files for VS Code and Claude that activate when the folder is opened in the IDE, as documented by The Hacker News and CyberPress. This is a source-repository execution, not build-time: the repository itself becomes an infection vector when cloned or opened in an editor.

On June 24 at 15:39:06 UTC, the GitHub Action codfish/semantic-release-action was compromised via force-push with redirection of seven tags. StepSecurity reports the attacker created Repository Rulesets to prevent maintainers from restoring the original state. The 512 KB payload steals OIDC and PAT tokens, encrypts them with AES-128-GCM, and attempts backdoor propagation into other repositories accessible with the stolen credentials. The relay token marker evolved from "IfYouInvalidateThisTokenItWillNukeTheComputerOfTheOwner" to "RevokeAndItGoesKaboom".

The most recent component concerns persistence in AI code-assistance tools. The codfish payload targets 13 tools — Claude, Codex, Gemini, Copilot, Kiro, OpenCode, Cline, Aider, Tabby, Amazon Q, Cody, Bolt, Continue — injecting SessionStart hooks and comments that trigger invisible background execution. This means a developer who opens a repository in VS Code with an AI extension installed can activate the payload without ever running npm install or go mod download.

What to Do Now

• Immediate dependency audit: verify the presence of binding.gyp in npm packages lacking C++ sources or binary .node output, with particular attention to versions published between June 1 and June 24, 2026.
• Complete rotation of all GitHub Actions, OIDC, and PAT tokens exposed in CI/CD pipelines, including those with apparently safe expiration: the malware extracts values from memory before they can be revoked.
\li>Inspect AI code-tool configurations in ~/.config and equivalent directories to detect unauthorized SessionStart hooks, with particular attention to Claude, Copilot, Gemini, and Cody.
• Verify Actions repositories and release tags: check that no GitHub Action used in workflows has suffered a force-push or tag redirection, with particular attention to codfish/semantic-release-action.

Why This Changes the Security Perimeter

Miasma demonstrates that the software attack perimeter is no longer the package manager but the entire developer workflow. The compromise chain begins with npm install, but continues through CI runner memory, GitHub APIs, and finally the IDE with AI assistance. Each link is legitimate in isolation: traffic to GitHub is authorized, opening a repository is normal, running Bun in CI is expected. The sophistication lies in the assembly, not the individual components.

The shift from Shai-Hulud to Miasma — the same infrastructure with new indicators and attack surfaces — suggests a group investing in operational longevity rather than immediate massive impact. According to JFrog, cited by The Hacker News: "The relevant story isn't that the payload is radically new. It's that Shai-Hulud keeps moving through legitimate package ecosystems changing just enough indicators to make stale detections less effective." The question for defenses is no longer whether a package is malicious, but whether any interaction with any repository — clone, install, open — can trigger a compromise.

FAQ

Does Phantom Gyp work with yarn or pnpm?

The brief documents use exclusively with npm install via node-gyp. No verification emerges for yarn, pnpm, or other package managers.

Are the compromised packages still available on npm?

Primary sources do not document the current availability status of the packages: some versions may have been withdrawn, others may persist in mirrors and corporate registry caches.

Does AI persistence require administrative privileges?

The dossier does not specify the privilege level required for injection of SessionStart hooks into AI tools: target configuration files typically reside in ~/.config, accessible to a standard user.

Sources

• https://thehackernews.com/2026/06/miasma-malware-targets-npm-packages-and.html
• https://unit42.paloaltonetworks.com/monitoring-npm-supply-chain-attacks/
• https://www.darkreading.com/cyber-risk/malicious-openclaw-skills-clawhub-threaten-ai-supply-chain
• https://www.infosectoday.io/miasma-malware-targets-npm-packages-and-github-actions-in-supply-chain-attack/
• https://www.stepsecurity.io/blog/binding-gyp-npm-supply-chain-attack-spreads-like-worm
• https://www.wiz.io/blog/miasma-supply-chain-attack-targeting-redhat-npm-packages
• https://cyberpress.org/shai-hulud-hits-npm-go/
• https://www.stepsecurity.io/blog/mass-npm-supply-chain-attack-20-leo-platform-packages-compromised
• https://www.stepsecurity.io/blog/supply-chain-compromise-codfish-semantic-release-action
• https://www.stepsecurity.io/blog/multiple-redhat-cloud-services-npm-packages-compromised
• https://app.stepsecurity.io/github/actions-security-demo/comp-packages/actions/runs/26932681873
• https://app.stepsecurity.io/github/actions-security-demo/comp-packages/actions/runs/26932729784?jobId=79455619199