Security Research

Miasma v2: Self-Spreading npm Worm Now Uses Malicious binding.gyp file and Compromises 57 Packages

Two days later, and Miasma already has a new version. The self-spreading npm worm that first surfaced earlier this week didn't give the creators the results they were expecting. But with a switch from install scripts to binding.gyp, this latest wave has swept up 57 packages across 286+ malicious versions. True to its name, it spreads like a blight: harvest the credentials, forge the provenance, push to the next set of packages, repeat.

profile image
Katie Paxton-Fear
linkedin logo
June 4th, 2026

A self-spreading npm worm dubbed Miasma compromised 57 npm packages across 286+ malicious versions. Rather than using the usual preinstall/postinstall lifecycle scripts in package.json, the malware ships a ~157-byte binding.gyp file containing a command-substitution action ("<!(node index.js > /dev/null 2>&1 && echo stub.c)").  This triggers arbitrary code execution during npm install without declaring a lifecycle script. And it’s showing its effectiveness, spreading through npm packages much quicker than the attackers first attack earlier this week.

The payload is once again highly obfuscated and harvests AWS, GCP, and Azure credentials, GitHub Actions secrets (including direct extraction from runner process memory via /proc/*/mem), and 1Password, gopass, and pass credential stores. It also injects persistent backdoors into AI coding-assistant configuration files to poison AI-generated code. Finally just like Mini Shai-Hulud propagates automatically by forging provenance attestations so reinfected packages appear legitimate. Stolen credentials are once again exfiltrated to attacker-controlled GitHub repositories.

Affected Packages

  • @evolvconsulting/evolv-coder-lite version 1.2.0

  • @jagreehal/workflow version 1.16.1

  • @vapi-ai/server-sdk versions 0.11.1, 0.11.2, 1.2.1, 1.2.2

  • ai-sdk-ollama versions 0.13.1, 1.1.1, 2.2.1, 3.8.5

  • autotel versions 2.26.4, 3.4.3

  • autotel-adapters version 0.3.5

  • autotel-audit version 0.1.15

  • autotel-aws version 0.13.10

  • autotel-backends version 2.12.26

  • autotel-cli version 0.8.14

  • autotel-cloudflare version 2.18.16

  • autotel-devtools versions 0.1.1, 1.0.4, 2.1.1, 3.0.2, 4.0.1, 5.1.1, 6.1.2

  • autotel-drizzle version 0.0.27

  • autotel-edge version 3.16.13

  • autotel-eventcatalog versions 1.0.1, 2.0.1, 3.0.1, 4.0.2, 5.0.1

  • autotel-hono version 0.4.26

  • autotel-mcp versions 0.1.14, 2.0.1, 3.0.1, 4.0.1, 5.0.1, 6.0.1, 7.0.1, 8.0.1, 9.0.1, 10.0.1, 11.0.1, 13.0.1, 14.0.1, 15.0.2, 16.0.1, 17.0.2, 18.0.1, 19.0.1, 20.0.1, 21.1.1, 22.0.1, 23.0.1, 24.0.1, 25.0.1, 26.0.2, 27.0.1, 28.0.3

  • autotel-mcp-instrumentation versions 29.0.2, 30.0.5, 31.0.1, 32.0.1, 33.0.2, 34.0.1

  • autotel-mongoose versions 0.0.3, 1.0.2, 2.0.5, 3.0.1, 4.0.1, 5.0.2, 6.0.1

  • autotel-pact versions 0.2.2, 1.0.3

  • autotel-playwright version 0.4.32

  • autotel-plugins version 0.19.26

  • autotel-sentry version 0.5.13

  • autotel-subscribers versions 4.1.1, 5.0.1, 6.0.1, 7.0.1, 8.0.1, 9.0.1, 10.0.1, 11.0.1, 12.0.1, 13.0.1, 14.1.1, 15.0.1, 16.0.2, 17.0.1, 18.0.3, 19.0.1, 20.0.1, 21.0.1, 22.0.2, 23.0.2, 24.0.1, 25.0.1, 26.0.1, 27.0.2, 28.0.2, 29.0.6, 30.0.4, 31.1.4

  • autotel-tanstack version 1.13.27

  • autotel-terminal versions 2.1.1, 3.0.1, 4.0.2, 5.0.1, 6.0.3, 7.0.1, 8.0.1, 9.0.1, 10.0.2, 11.0.1, 12.0.1, 13.0.1, 14.0.1, 15.0.2, 16.0.2, 17.0.10, 18.0.4, 19.0.8, 20.0.2, 21.0.1, 22.0.2, 23.0.3

  • autotel-vitest version 0.4.26

  • autotel-web version 1.12.2

  • awaitly version 1.33.3

  • awaitly-analyze versions 0.24.2, 1.1.1, 2.0.1, 3.0.1, 4.0.1, 5.0.1, 6.0.1, 7.0.1, 8.0.1

  • awaitly-libsql versions 0.1.1, 1.0.1, 2.0.1, 3.0.1, 4.0.1, 5.0.1, 6.0.1, 7.0.1, 8.0.1, 9.0.1, 10.0.1, 11.0.1, 12.0.1, 13.0.1, 14.0.1, 15.0.1, 16.0.1, 17.0.1, 18.1.1, 19.0.1, 20.0.1, 21.0.1, 22.0.1

  • awaitly-mongo versions 0.1.1, 1.0.1, 2.0.1, 3.0.1, 4.0.1, 5.0.1, 6.0.1, 7.0.1, 8.0.1, 9.1.1, 10.0.1, 11.0.1, 12.0.1, 13.0.1, 14.0.1, 15.0.1, 16.0.1, 17.0.1, 18.0.1, 19.1.1, 20.0.1, 21.0.1, 22.0.1, 23.0.1

  • awaitly-postgres versions 0.1.1, 1.0.1, 2.0.1, 3.0.2, 4.0.1, 5.0.1, 6.0.1, 7.0.1, 8.0.1, 9.0.1, 10.0.1, 11.0.1, 12.0.1, 13.0.1, 14.0.1, 15.0.1, 16.0.1, 17.0.1, 18.0.1, 19.1.1, 20.0.1, 21.0.1, 22.0.1, 23.0.1

  • awaitly-visualizer versions 1.0.1, 2.0.2, 3.0.1, 4.0.1, 5.0.1, 6.0.1, 7.0.1, 8.0.1, 9.0.1, 10.0.1, 11.0.1, 12.0.1, 13.0.1, 14.0.1, 15.0.1, 16.0.1, 17.0.1, 18.1.1, 19.0.1, 20.0.2, 21.0.1, 22.0.2

  • effect-analyzer version 0.3.1

  • eslint-plugin-awaitly versions 0.17.1, 1.0.1

  • eslint-plugin-executable-stories-jest versions 1.2.1, 2.1.8

  • eslint-plugin-executable-stories-playwright versions 1.2.1, 2.1.8

  • eslint-plugin-executable-stories-vitest versions 1.2.1, 2.1.8

  • executable-stories-cypress versions 3.1.1, 4.0.1, 5.0.1, 6.1.1, 7.0.3, 8.3.2

  • executable-stories-demo version 0.1.11

  • executable-stories-formatters version 0.11.2

  • executable-stories-init version 0.1.2

  • executable-stories-jest versions 3.1.1, 4.0.1, 5.0.1, 6.1.1, 7.0.3, 8.3.2

  • executable-stories-mcp version 0.3.3

  • executable-stories-playwright versions 3.1.1, 4.0.1, 5.0.1, 6.1.1, 7.0.3, 8.4.3

  • executable-stories-react version 0.1.7

  • executable-stories-vitest versions 2.0.1, 3.1.1, 4.0.1, 5.0.1, 6.1.1, 7.0.3, 8.3.3

  • http-uploader-dev version 1.0.7

  • mountly version 0.2.2

  • mountly-tailwind version 0.1.3

  • node-env-resolver version 6.5.1

  • node-env-resolver-aws versions 9.1.2, 10.0.1, 11.0.1, 12.0.1

  • node-env-resolver-dotenvx versions 1.0.1, 2.0.1

  • node-env-resolver-nextjs version 7.4.2

  • node-env-resolver-vite version 2.4.2

  • wrangler-deploy version 1.5.5

For Semgrep Customers

  1. Trigger a new scan if you haven't recently on your projects

  2. Check the advisories page to see if any projects have installed these package versions recently, or the Dependency filter to see if you are using any earlier versions.

  3. If you are:

    1. Check if you have any of the file/system artefacts, particularly the persistence through Claude, Cursor, VSCode and Gemini

    2. If you are affected you should also immediately investigate all CI/CD pipelines too

    3. Rotate any credentials associated with the pipeline and the compromised user

Indicators of Compromise

Domains / C2 Servers

  • Exfiltration path pattern: {repo}/contents/results/results-{timestamp}.json

  • C2 beacon keyword (GitHub commit search): thebeautifulmarchoftime

  • Token validation keyword: IfYouInvalidateThisTokenItWillNukeTheComputerOfTheOwner

  • Bun runtime download URL: github.com/oven-sh/bun/releases/download/bun-v1.3.13/bun-*.zip

Files / System Artifacts

  • binding.gyp — 157-byte file triggering code execution during npm install

  • Root-level index.js — obfuscated payload (4+ MB) injected alongside legitimate package code

  • /tmp/b-* — temp directory containing the downloaded Bun binary

  • AI assistant backdoor files: .claude/setup.mjs, .claude/settings.json, .cursor/rules/setup.mdc, .gemini/settings.json, .vscode/tasks.json, .vscode/setup.mjs, .github/setup.js

Dive deeper into Security Research or continue reading our featured posts.

April 20, 2026
Mythos: Bad Takes, Facts, and Fear
profile image
Isaac Evans
March 19, 2026
Will there be more security engineers in the future, or fewer?
profile image
Isaac Evans
March 18, 2026
Introducing Semgrep Custom Workflows
profile image profile image
Vivek Khimani Braden Riggs