Miasma — LeoPlatform Supply Chain Attack Expands to Go, Targets AI Coding Assistants

AI relevance: Miasma injects itself into AI coding assistant SessionStart hooks (Claude Code, Copilot, Gemini CLI), establishing persistence that survives across agent sessions and steals credentials from CI/CD runners.

What Happened

• On June 24, 2026, attackers compromised the npm maintainer account "czirker" associated with LeoPlatform
• Within a 6-second window, 23 trojanized npm packages were published: leo-sdk, leo-auth, leo-aws, leo-cli, and 19 others
• The malware uses binding.gyp files to execute arbitrary code during npm install, bypassing typical lifecycle hook detection
• A JavaScript loader downloads and installs the Bun runtime if not present, then deploys an AES-GCM encrypted stealer payload
• The stealer harvests npm tokens, AWS credentials, GitHub Actions secrets, and AI API keys from environment variables
• Miasma drops a malicious GitHub Actions workflow named "Run Copilot" that captures CI/CD secrets from runner memory
• Stolen credentials are exfiltrated to public GitHub repositories with the description "Alright Lets See If This Works" — 559 matching repos found
• The campaign has expanded beyond npm to the Go ecosystem, compromising verana-labs/verana-blockchain@v0.10.1-dev.20
• Miasma establishes persistence in AI coding assistant SessionStart hooks for Claude Code, GitHub Copilot, and Gemini CLI
• The malware includes a Russian locale killswitch and checks for endpoint security software before executing

Why It Matters

This is the third major wave of the Mini Shai-Hulud/Miasma/Hades supply chain campaign in June 2026. Unlike earlier waves that targeted PyPI and MCP developers, this iteration focuses on enterprise AI infrastructure (LeoPlatform is used for serverless AWS deployments) and establishes persistence in AI agent tooling.

The SessionStart hook persistence is particularly dangerous: it survives across agent sessions, meaning a compromised developer machine will continue to leak credentials every time they start a new Claude Code or Copilot session. The GitHub Actions theft workflow demonstrates that AI coding agents are now first-class targets for credential harvesting in CI/CD pipelines.

What to Do

• Audit LeoPlatform dependencies: Check package.json for any leo-* packages. If found, rotate all npm tokens, AWS credentials, and AI API keys immediately
• Scan for Miasma artifacts: Look for binding.gyp files in node_modules, Bun runtime installations in unexpected locations, and GitHub Actions workflows named "Run Copilot"
• Check AI assistant hooks: Inspect SessionStart configurations in Claude Code, Copilot, and Gemini CLI for unauthorized persistence
• Monitor GitHub: Search for repositories with the description "Alright Lets See If This Works" — these may contain your exfiltrated credentials
• Lock down npm accounts: Enable 2FA on all npm maintainer accounts. Rotate tokens for any accounts that shared credentials with compromised maintainers
• Pin dependencies: Use lockfiles and dependency verification (npm audit, Socket, Snyk) before installing packages with native code execution (binding.gyp)

Sources

• The Hacker News — Miasma Malware Targets npm Packages and GitHub Actions
• Socket — Miasma Mini Shai-Hulud Hits LeoPlatform npm Packages
• The Register — Miasma campaign poisons 20-plus npm packages
• SafeDep — Miasma Worm Hits LeoPlatform