Security researchers have uncovered a new supply chain attack involving malware called Miasma, which targets developers by abusing npm packages and GitHub Actions workflows. Instead of attacking users directly, the campaign focuses on software development environments where malicious code can spread through trusted projects. Researchers say this approach allows attackers to compromise systems before applications are even released. The discovery highlights the growing threat of software supply chain attacks.
According to the researchers, the attackers uploaded malicious npm packages that appeared legitimate but secretly contained harmful code. Once installed, these packages downloaded and executed the Miasma malware on the victim’s system. Because developers often rely on open-source packages from npm, the malicious libraries could easily blend in with normal project dependencies. This increases the risk of accidental installation during software development.
The investigation also found that the attackers abused GitHub Actions, a popular automation platform used for building and testing software. By compromising GitHub Actions workflows, the attackers attempted to inject malicious code during the software development process. This technique allows malware to spread through automated pipelines without requiring direct access to developers’ devices. It also makes the attack more difficult to detect during routine development.
Once active, the Miasma malware collects sensitive information from infected environments. Researchers observed attempts to steal authentication tokens, credentials, and other development-related secrets that could provide access to source code repositories or cloud services. Stolen information could allow attackers to move further into an organization’s software infrastructure. This makes developer environments an attractive target for cybercriminals.
The malware also includes mechanisms designed to avoid detection while maintaining access to compromised systems. Instead of performing noisy actions that immediately alert defenders, it quietly gathers information and communicates with attacker-controlled servers. Researchers noted that this stealthy behavior increases the chances of long-term compromise. Such persistence can have serious consequences if development environments remain infected.
Security experts warned that software supply chain attacks continue to evolve as attackers shift their attention toward trusted development tools. Platforms like npm and GitHub have become valuable targets because they are widely used across the software industry. A single compromised package or workflow can potentially affect many downstream projects. This makes early detection and rapid response extremely important.
To reduce the risk of compromise, organizations should carefully review third-party packages before adding them to projects and regularly audit software dependencies. Monitoring GitHub Actions workflows for unexpected changes and limiting access to sensitive credentials can also help strengthen security. Developers are encouraged to use dependency scanning tools and enable repository protection features whenever possible. These practices reduce the chances of malicious code entering the software supply chain.
The discovery of Miasma serves as another reminder that attackers are increasingly targeting the tools developers trust every day. As software supply chains become more connected, even a single compromised component can create widespread security risks. Organizations should continue improving visibility across their development environments and apply strong security controls throughout the software lifecycle. Protecting developer infrastructure is now just as important as protecting production systems.
Stay alert, and keep your security measures updated!
Source: Follow cybersecurity88 on X and LinkedIn for the latest cybersecurity news
