MAL-2026-6418
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/leo-aws/MAL-2026-6418.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2026-6418
- Published
- 2026-06-24T23:04:55Z
- Modified
- 2026-06-25T08:01:27.347148685Z
- Summary
- Malicious code in leo-aws (npm)
- Details
-
The
leo-awsnpm package was compromised as part of the Miasma worm campaign targeting the LeoPlatform npm ecosystem. On June 24, 2026, 20 LeoPlatform packages were published within a 3-second window by a threat actor who had taken over the npm accountczirkerbelonging to the LeoPlatform organization.The malicious payload is triggered automatically during
npm installvia abinding.gypfile using node-gyp command expansion (<!(node index.js > /dev/null 2>&1 && echo stub.c)), which bypasses lifecycle script scanners. The replacedindex.js(~5.2 MB, obfuscated with ROT-N + AES-128-GCM encryption) deploys a multi-stage worm with the following capabilities:- Credential theft: Targets npm, GitHub, PyPI, RubyGems, Kubernetes, HashiCorp Vault, AWS (IAM keys, Secrets Manager, IMDS), 1Password, JFrog Artifactory, and SSH keys.
- AI tool targeting: Exfiltrates configuration files for Claude, Cursor, Gemini, and VS Code.
- Worm propagation: Enumerates npm packages and auto-publishes version bumps to spread to other maintainers in the ecosystem.
- GitHub persistence: Creates orphan
snapshot-<hex>branches with fake "Dependabot Updates" workflows to maintain access after initial compromise.
Any system that installed this version should be considered fully compromised. Rotate all secrets immediately from a separate, clean machine. See the linked SafeDep report for full payload analysis, indicators of compromise, and remediation guidance.
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (914680f83c4971cb6bc16c3ef608f4c1e8a73a25769911d5d9076ad91c935f63)
The package contains a binding.gyp at the tarball root whose contents use GYP command-expansion syntax (node-gyp rebuild whenever a binding.gyp is present in the package, even without any declared install/postinstall script, and node-gyp's configure step evaluates npm install of leo-aws. The package ships no native C/C++ source files (no.c/.cc/.cpp/.h), so the binding.gyp has no legitimate build purpose — its only effect is to run the embedded shell command at install time. This is functionally equivalent to a postinstall hook and is a well-known supply-chain attack technique for hiding install-time code execution from cursory script-field inspection.
- Database specific
{ "iocs": { "urls": [ "https://safedep.io/miasma-worm-hits-leoplatform-20-npm-packages/" ] }, "malicious-packages-origins": [ { "versions": [ "2.0.4" ], "modified_time": "2026-06-25T06:30:31Z", "sha256": "914680f83c4971cb6bc16c3ef608f4c1e8a73a25769911d5d9076ad91c935f63", "id": "IN-MAL-2026-007471", "source": "amazon-inspector", "import_time": "2026-06-25T07:47:50.768854299Z" } ] }- References
- Credits
-
-
- Amazon Inspector - FINDER
-
- SafeDep - FINDER
-
Affected packages
npm / leo-aws
Package
- Name
- leo-aws
- View open source insights on deps.dev
- Purl
- pkg:npm/leo-aws
Database specific
cwes
[
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
},
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
}
]
indicators
{
"package_integrity": [
{
"hashes": {
"sha512_sri": "sha512-Luw+cZtqqoRjRmSvjgcPYG/xQianu4NoE10qB4TwlJVcUoKjdl5bQa51hzAAUvitdncPT/mg4K+xBpGmlmeCeQ==",
"sha1": "1dcc0a39e1cd7293a9058cfc41e1afe8b397c943"
},
"filename": "leo-aws-2.0.4.tgz"
}
],
"evidence_files": [
{
"path": "binding.gyp",
"tlsh": "48c08c3ca9380d1029d958285168d402a4b142a3494e2a81fade60284fa840b2898bad",
"sha256": "32d1bc728d8e504952083a6adc488c309a401c7df4dc8f47b382ce32e4aebe21"
}
]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/leo-aws/MAL-2026-6418.json"