🟠 High | Source: The Register — Security
A threat campaign dubbed ‘Miasma’ has compromised over 20 npm packages — including those associated with the Leo Platform and RStreams ecosystems — by injecting malicious code designed to harvest developer credentials. Microsoft identified the campaign, which appears to target package maintainers to gain further footholds and spread the compromise across the npm supply chain. The attack is particularly dangerous because developers who install or update affected packages may unknowingly expose secrets stored in their local environments or CI/CD pipelines.
Security Architect’s Take: Audit your dependency trees immediately for any use of Leo Platform or RStreams packages, and rotate any credentials present in developer environments or CI/CD systems that may have been exposed. Enforce software composition analysis (SCA) tooling with integrity checks — such as lockfile validation and provenance attestation via npm audit signatures — to detect tampered packages before they reach your build pipelines.
Original advisory: Miasma campaign poisons 20-plus npm packages, hunts for developer secrets