Miasma campaign poisons 20-plus npm packages, hunts for developer secrets
Microsoft says latest attack targets Leo Platform and RStreams packages, harvesting creds and going after more maintainers
Node.js security covers vulnerabilities, dependency risks, and runtime defenses that can affect server-side applications and their data.
Search across headline titles and summaries.
Background for this topic.
Node.js is an open-source, cross-platform runtime that executes JavaScript outside a web browser, using Google’s V8 engine. Its event-driven, non-blocking input/output model is widely used for web servers, APIs, command-line tools, and backend services. The runtime is not itself an application framework; security outcomes depend substantially on the code and modules running within it.
Security concerns include vulnerabilities in the Node.js runtime, insecure application logic such as injection or server-side request forgery, and risks from the large npm dependency ecosystem. Malicious or compromised packages, unsafe install scripts, transitive dependencies, and prototype-pollution flaws can expand an application’s attack surface. Practitioners should track runtime and package advisories, use lockfiles and dependency review, restrict package-install and process permissions where practical, validate untrusted input, and protect credentials and session data. During incidents, dependency inventories and build records help determine whether a vulnerable module or runtime was deployed.
Microsoft says latest attack targets Leo Platform and RStreams packages, harvesting creds and going after more maintainers
Cybersecurity researchers have flagged yet another evolution of the supply chain attack linked to the Mini Shai-Hulud, Miasma, and Hades malware family that has compromised a new set of npm packages, even as it has propagated to the Go ecosystem
An active phishing campaign has been targeting hotel and other hospitality organizations across Europe and Asia since April 2026, using photo-themed ZIP files to drop a Node.js implant and dig into front-desk machines, Microsoft says
Microsoft Threat Intelligence identified an active multi-stage intrusion campaign targeting hospitality organizations in Europe and Asia. The campaign uses photo-themed ZIP archives and fake image shortcut files to deliver a persistent Node.js implant and evade detection. The post Photo ZIP campaign targeting hospitality industry delivers Node.js implant for persistent access appeared first on Microsoft Security Blog.
JFrog found an npm package impersonating postcss-selector-parser to drop a multi-stage Windows RAT
Cybersecurity researchers have discovered a set of malicious npm packages that are designed to deliver a Windows-based remote access trojan (RAT)