Feed
CriticalPublished 9 Jun 2026Updated 21 Jun 20261 package · 4 versions

dbmux maintainer-account takeover: four backdoored versions seeded across two release branches

Summary

Between 2026-06-04 and 2026-06-05 the dbmux npm maintainer account (bhagyamudgal) was hijacked and four backdoored releases were pushed across both the legacy 1.x and current 2.x branches: 1.0.5, 1.0.6, 2.2.4, 2.2.5. GHSA-62wx-5f55-w8g2 (published 2026-06-09) classifies all four as CWE-506 embedded malicious code: any host that installed or executed them should be treated as fully compromised. npm deprecated every malicious release; the clean latest is 2.2.3.

maintainer-takeoveraccount-takeovercredential-theftinfostealerwormci-cd-compromise
Threat actor
Miasma supply-chain worm
Detected by
SupplyChainAttack.org · GitHub Advisory Database · Snyk
Also known as
Miasma dbmux wave
Ecosystems
npm
Packages tracked
1

What happened

dbmux is a database-management CLI ("A flexible database management CLI tool with persistent configuration") published since 2025-07-07 by maintainer bhagyamudgal. The package had been quiet since 2026-01-13 (last clean release 2.2.3) when, on 2026-06-04 and 2026-06-05, four out-of-band releases appeared:

  • 2.2.4 (2026-06-04) — patch bump on the current 2.x branch
  • 1.0.5 (2026-06-04) — patch bump on the legacy 1.x branch, ~6 months after 1.0.4
  • 2.2.5 (2026-06-05) — second patch on 2.x
  • 1.0.6 (2026-06-05) — second patch on 1.x

The parallel-branch pattern is a classic post-takeover move: pushing a backdoored release on both the legacy and current branches maximises catchment across consumers pinning either range. GitHub Advisory GHSA-62wx-5f55-w8g2 was filed 2026-06-09 and classifies the four releases as CWE-506 Embedded Malicious Code, with the standard "any computer that has this package installed or running should be considered fully compromised" treatment.

Payload mechanics

Per SupplyChainAttack.org's report (shared with Cyber Security News and gbhackers), the malicious payload uses standard Node primitives — child_process.spawn, process.env scraping, file I/O on ~/.aws, ~/.ssh, ~/.npmrc, .env files in the working tree — and opens a covert command channel back to operator-controlled infrastructure. Because Node applications often run with developer credentials, build tokens, or CI secrets mounted into the runtime environment, the malware has a direct path to sensitive secrets and keys without needing any privilege escalation.

Detection and timeline

  • 2026-06-04 03:55 UTC (approx) — first malicious versions (1.0.5, 2.2.4) published
  • 2026-06-05 — second wave (1.0.6, 2.2.5) published
  • 2026-06-09 — GitHub Advisory GHSA-62wx-5f55-w8g2 published; npm deprecates all four versions with reason "unauthorized security release from supply-chain activity"
  • 2026-06-09 — SupplyChainAttack.org / Cyber Security News public disclosure
  • 2026-06-10 — gbhackers, Cyber Press, Snyk, Hacktron AI republish the advisory

Attribution — Miasma worm (npm-support assigned, 2026-06-21 update)

When the 2026-06-09 ingest catalogued this incident the attribution line read "actor unknown". Re-checking the npm registry on 2026-06-21, the deprecation tombstones that npm-support now ships on 1.0.5, 1.0.6, 2.2.4, and 2.2.5 explicitly read: "unauthorized release published by the Miasma supply-chain worm on 2026-06-04…". Snyk's advisory SNYK-JS-DBMUX-17223227 (published 2026-06-07, credit Guy Korolevski) corroborates the framing — the dbmux releases are described as a self-propagating cloud-secret stealer consistent with the Miasma signature already documented in the 2026-06-01 @redhat-cloud-services/* wave.

Snyk's analysis also surfaces a payload mechanic the original disclosure missed: the dropper is delivered via a malicious binding.gyp + package/index.js shadow entry-point rather than a postinstall lifecycle hook — the implant fires silently the moment the package is required, even when npm install --ignore-scripts is in effect. Defenders relying on ignore-scripts as a mitigation are NOT covered.

Affected packages (1)

  • npmdbmux
    1.0.51.0.62.2.42.2.5

Impact

  • Arbitrary command execution on developer workstations and CI runners that ran npm install dbmux
  • Covert C2 channel back to operator-controlled infrastructure via spawned Node child processes
  • Theft of environment variables, local files, build secrets, and CI tokens mounted into the runtime
  • Persistent backdoor: simple npm uninstall dbmux cannot guarantee removal once arbitrary code ran
  • Dual-branch poisoning increases blast radius: teams pinned to ^1.0.4 (legacy) AND ^2.2.3 (current) both pulled malicious updates

What to do

  1. 1Pin dbmux to 2.2.3 (or any version <= 2.2.3 / <= 1.0.4). Block 1.0.5, 1.0.6, 2.2.4, 2.2.5
  2. 2Treat any workstation or CI runner that executed a malicious version as fully compromised — re-image rather than clean
  3. 3Rotate from an uncompromised machine: AWS/GCP/Azure access keys, GitHub/GitLab/npm tokens, SSH keys, database passwords, and anything in .env that the affected host could read
  4. 4Audit npm publish history under your team accounts for unexpected releases between 2026-06-04 and 2026-06-05 — the same actor may have reached other accounts in the same window
  5. 5Enable npm 2FA with publish enforcement on every maintainer account; revoke any long-lived classic tokens

References

npm-2026-06-09-dbmux-maintainer-takeover