MAL-2026-6425
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/leo-connector-mysql/MAL-2026-6425.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2026-6425
- Published
- 2026-06-24T23:04:55Z
- Modified
- 2026-06-25T08:01:29.233466470Z
- Summary
- Malicious code in leo-connector-mysql (npm)
- Details
-
The
leo-connector-mysqlnpm package was compromised as part of the Miasma worm campaign targeting the LeoPlatform npm ecosystem. On June 24, 2026, 20 LeoPlatform packages were published within a 3-second window by a threat actor who had taken over the npm accountczirkerbelonging to the LeoPlatform organization.The malicious payload is triggered automatically during
npm installvia abinding.gypfile using node-gyp command expansion (<!(node index.js > /dev/null 2>&1 && echo stub.c)), which bypasses lifecycle script scanners. The replacedindex.js(~5.2 MB, obfuscated with ROT-N + AES-128-GCM encryption) deploys a multi-stage worm with the following capabilities:- Credential theft: Targets npm, GitHub, PyPI, RubyGems, Kubernetes, HashiCorp Vault, AWS (IAM keys, Secrets Manager, IMDS), 1Password, JFrog Artifactory, and SSH keys.
- AI tool targeting: Exfiltrates configuration files for Claude, Cursor, Gemini, and VS Code.
- Worm propagation: Enumerates npm packages and auto-publishes version bumps to spread to other maintainers in the ecosystem.
- GitHub persistence: Creates orphan
snapshot-<hex>branches with fake "Dependabot Updates" workflows to maintain access after initial compromise.
Any system that installed this version should be considered fully compromised. Rotate all secrets immediately from a separate, clean machine. See the linked SafeDep report for full payload analysis, indicators of compromise, and remediation guidance.
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (cc20d78464a78cbe988dbbbc2fe10cd4207311a8ff43ee7c5a0411e68e81bb57)
The package ships a binding.gyp file containing GYP command-expansion syntax (
<!(...)) at line 6. npm implicitly runsnode-gyp rebuildwhenever a binding.gyp is present — even without any declared install/postinstall script — and GYP evaluates<!(...)expressions as shell commands during the configure step. This causes the embedded command to execute automatically on everynpm install, functionally identical to a lifecycle hook. Any installer or build system that pulls this package will run the expanded command with the privileges of the installing user. - Database specific
{ "iocs": { "urls": [ "https://safedep.io/miasma-worm-hits-leoplatform-20-npm-packages/" ] }, "malicious-packages-origins": [ { "sha256": "cc20d78464a78cbe988dbbbc2fe10cd4207311a8ff43ee7c5a0411e68e81bb57", "import_time": "2026-06-25T07:47:50.847514219Z", "source": "amazon-inspector", "modified_time": "2026-06-25T06:30:34Z", "versions": [ "3.0.3" ], "id": "IN-MAL-2026-007473" } ] }- References
- Credits
-
-
- Amazon Inspector - FINDER
-
- SafeDep - FINDER
-
Affected packages
npm / leo-connector-mysql
Package
- Name
- leo-connector-mysql
- View open source insights on deps.dev
- Purl
- pkg:npm/leo-connector-mysql
Database specific
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/leo-connector-mysql/MAL-2026-6425.json"
cwes
[
{
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506"
},
{
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506"
}
]
indicators
{
"evidence_files": [
{
"sha256": "32d1bc728d8e504952083a6adc488c309a401c7df4dc8f47b382ce32e4aebe21",
"tlsh": "48c08c3ca9380d1029d958285168d402a4b142a3494e2a81fade60284fa840b2898bad",
"path": "binding.gyp"
}
],
"package_integrity": [
{
"filename": "leo-connector-mysql-3.0.3.tgz",
"hashes": {
"sha1": "f03a3e0dca9ef402352ce61cad59e5d850744960",
"sha512_sri": "sha512-ENPOPFzvhAEQIDhXeRzF4/FUTPBFsaxr7YFQChRYFXdCnMUx4QpLhD4NPNeX1lt9a0JfU/gRBPUwBSV99L9LuA=="
}
}
]
}