Back to Intelligence

Miasma Supply Chain Attack: Detection and Remediation for npm and GitHub Actions Abuse

SA
Security Arsenal Team
June 26, 2026
6 min read

The open-source supply chain remains a primary vector for sophisticated adversaries in 2026. Security researchers have identified a concerning evolution of the Miasma malicious software family—linked to the Mini Shai-Hulud and Hades lineages—actively targeting the JavaScript and Go ecosystems. This campaign is not theoretical; it involves confirmed malicious npm packages, specifically LeoPlatform and RStreams, and extends its reach to abuse GitHub Actions workflows.

For defenders, this represents a critical escalation. When a CI/CD pipeline is compromised, the integrity of the entire software development lifecycle (SDLC) is suspect. This post provides the technical telemetry, detection logic, and immediate remediation steps necessary to evict Miasma from your environment.

Technical Analysis

Threat Overview

The Miasma campaign is a multi-faceted supply chain attack designed to infiltrate build environments and exfiltrate data or establish persistence within developer infrastructure. While historically associated with niche malware, recent activity shows a maturation in capability, specifically targeting automation layers.

Affected Platforms and Components

  • Package Managers (npm): The primary delivery vector involves the publication of malicious packages.
    • Malicious Packages: LeoPlatform, RStreams.
    • Functionality: These packages typically contain obfuscated code designed to execute post-install scripts, often reaching out to external command-and-control (C2) infrastructure or downloading second-stage payloads.
  • Automation (GitHub Actions): The adversary has pivoted to abusing GitHub Actions workflows. This technique often involves compromising a repository or using a dependency to trigger a workflow that executes malicious code within the GitHub Actions runner environment.
  • Language Ecosystem (Go): Propagation has been observed impacting the Go ecosystem, suggesting the malware attempts to spread to other development environments present on the infected host.

Attack Chain

  1. Initial Compromise: A developer or CI pipeline installs a compromised npm package (npm install LeoPlatform or npm install RStreams).
  2. Execution: The package. install or postinstall script triggers. This is the critical moment where node spawns a shell process (e.g., bash, sh, or powershell) to execute a cURL or base64-encoded payload.
  3. Payload Delivery: The device connects to an external C2 server to retrieve the Miasma payload.
  4. GitHub Actions Abuse: If the infected code is pushed to a repo, or if the workflow logic is altered, the malicious code executes inside the GitHub-hosted runner, potentially exposing repository secrets (tokens, keys) or poisoning the artifact build.

Exploitation Status

  • Status: Confirmed Active Exploitation.
  • Observations: Malicious packages are currently live in the registry. Researchers have observed infrastructure overlap with previous Hades-related campaigns.

Detection & Response

Sigma Rules

The following Sigma rules detect the installation of the specific malicious packages and the suspicious behavior of Node.js spawning shell processes—a hallmark of malicious npm packages.

YAML
---
title: Miasma Malicious npm Package Installation
id: a8c9d1e0-2b4f-4c6a-9e1f-3a5b7c8d9e0f
status: experimental
description: Detects the installation of known Miasma-associated malicious npm packages (LeoPlatform, RStreams).
references:
  - https://thehackernews.com/2026/06/miasma-malware-targets-npm-packages-and.html
author: Security Arsenal
date: 2026/06/18
tags:
  - attack.initial_access
  - attack.supply_chain
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|endswith:
      - '\npm.cmd'
      - '\npm.exe'
    CommandLine|contains:
      - 'install'
    CommandLine|contains:
      - 'leoplatform'
      - 'rstreams'
  condition: selection
falsepositives:
  - Legitimate installation of packages with similar names (verify exact spelling)
level: critical
---
title: Suspicious Node.js Child Process - Potential npm Malware
id: b1d2e3f4-5a6b-7c8d-9e0f-1a2b3c4d5e6f
status: experimental
description: Detects Node.js spawning shell or download utilities, common in malicious npm packages like Miasma.
references:
  - https://attack.mitre.org/techniques/T1204/
author: Security Arsenal
date: 2026/06/18
tags:
  - attack.execution
  - attack.t1059.001
logsource:
  category: process_creation
  product: windows
detection:
  selection_parent:
    ParentImage|endswith:
      - '\node.exe'
  selection_child:
    Image|endswith:
      - '\cmd.exe'
      - '\powershell.exe'
      - '\curl.exe'
      - '\wget.exe'
      - '\bash.exe'
  condition: selection_parent and selection_child
falsepositives:
  - Legitimate build scripts that invoke system shells (rare in production runs)
level: high

KQL (Microsoft Sentinel / Defender)

This hunt queries for process creation events associated with npm installation and the specific package names identified in the Miasma campaign.

KQL — Microsoft Sentinel / Defender
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName in~ ("npm.exe", "npm.cmd")
| where ProcessCommandLine has_any ("install", "i ", "is ")
| where ProcessCommandLine has_any ("leoplatform", "rstreams")
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName
| extend AlertDetail = "Miasma Malicious Package Installation Detected"

Velociraptor VQL

This artifact hunts for running Node processes that have command lines containing the malicious package names, or suspicious child processes spawned by Node.

VQL — Velociraptor
-- Hunt for Miasma related npm processes
SELECT Pid, Name, CommandLine, Exe, Username
FROM pslist()
WHERE Name =~ "node"
  AND (CommandLine =~ "leoplatform" OR CommandLine =~ "rstreams")

-- Hunt for suspicious child processes of Node
SELECT Parent.Pid AS ParentPid, Parent.Name AS ParentName, Child.Pid, Child.Name, Child.CommandLine
FROM pslist() AS Child
JOIN pslist() AS Parent ON Child.Ppid = Parent.Pid
WHERE Parent.Name =~ "node"
  AND Child.Name IN ("bash", "sh", "cmd", "powershell", "curl", "wget")

Remediation Script (Bash)

Use this script in your Linux or macOS CI/CD environments to scan for the presence of the malicious packages in package-lock. or yarn.lock files.

Bash / Shell
#!/bin/bash

# Remediation Script for Miasma Malicious npm Packages
# Targets: LeoPlatform, RStreams

echo "[*] Scanning for Miasma malicious packages..."

MALICIOUS_PACKAGES=("leoplatform" "rstreams")
FOUND=0

# Scan package-lock.
if [ -f "package-lock." ]; then
    for pkg in "${MALICIOUS_PACKAGES[@]}"; do
        if grep -q "\"$pkg\"" package-lock.; then
            echo "[!] ALERT: Malicious package '$pkg' found in package-lock."
            FOUND=1
        fi
    done
fi

# Scan yarn.lock
if [ -f "yarn.lock" ]; then
    for pkg in "${MALICIOUS_PACKAGES[@]}"; do
        if grep -q "$pkg@" yarn.lock; then
            echo "[!] ALERT: Malicious package '$pkg' found in yarn.lock"
            FOUND=1
        fi
    done
fi

if [ "$FOUND" -eq 1 ]; then
    echo "[!] ACTION REQUIRED: Remove the malicious dependencies immediately."
    echo "    Recommended: rm -rf node_modules package-lock. && npm install"
    exit 1
else
    echo "[+] No Miasma indicators found in current directory."
    exit 0
fi

Remediation

  1. Immediate Removal: If your environment utilizes LeoPlatform or RStreams, immediate removal is required. Delete the package reference from package..
  2. Sanitize Environments:
    • Delete node_modules folders and lock files (package-lock., yarn.lock).
    • Reinstall dependencies using only verified sources.
  3. Audit GitHub Actions:
    • Review your .github/workflows directory for any unauthorized changes.
    • Revoke all GitHub Actions secrets (PATs, deployment keys) that may have been exposed to the compromised runner environment. Assume they are compromised.
  4. Dependency Review: Implement a policy requiring manual review or automated blocking of packages with few downloads or suspicious names (typosquatting) to prevent future Miasma-style infections.
  5. Network Blocking: Block network egress from build runners to unknown or non-categorized external domains. Miasma relies on outbound C2 communication; breaking this path contains the malware.

Related Resources

Security Arsenal Incident Response Services AlertMonitor Platform Book a SOC Assessment incident-response Intel Hub

incident-responseransomwarebreach-responseforensicsdfirsupply-chainnpmgithub-actions

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action