Embedded Malicious Code Affecting serverless-leo package, versions =3.0.14
Threat Intelligence
Snyk has reported that there have been attempts or successful attacks targeting this vulnerability.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-JS-SERVERLESSLEO-17458648
- published25 Jun 2026
- disclosed24 Jun 2026
- creditUnknown
Introduced: 24 Jun 2026
New Malicious CVE NOT AVAILABLE CWE-506 (opens in a new tab)How to fix?
Avoid using all malicious instances of the serverless-leo package.
Overview
Affected versions of this package are vulnerable to Embedded Malicious Code linked to a variant of the "Miasma" supply chain attack targeting the LeoPlatform npm ecosystem. A malicious actor compromised a legitimate maintainer account and used it to publish infected versions of this package in a rapid, automated execution window. The published versions contain malicious code that includes a credential-stealing payload aimed at local development environments and CI/CD pipelines.
Threat Behavior
The malicious payload executes automatically during the npm install. Instead of relying on package.json lifecycle scripts, it introduces a malicious binding.gyp file. This file uses GYP command expansion (<!(...)) to invoke a bundled index.js file, effectively bypassing security scanners that only audit lifecycle hooks.
The worm then attempts to propagate further through the software supply chain by using the compromised environment to create unauthorized GitHub branches, push poisoned code, or leverage stolen tokens to republish backdoored versions of accessible repositories.
Note:
At the time of publication, vulnerable versions were not removed from npm.
Organizations that installed or built projects using affected versions of this package should treat all local and environment secrets as compromised and rotate them immediately.