dbmux maintainer-account takeover: four backdoored versions seeded across two release branches
Between 2026-06-04 and 2026-06-05 the dbmux npm maintainer account (bhagyamudgal) was hijacked and four backdoored releases were pushed across both the legacy 1.x and current 2.x branches: 1.0.5, 1.0.6, 2.2.4, 2.2.5. GHSA-62wx-5f55-w8g2 (published 2026-06-09) classifies all four as CWE-506 embedded malicious code: any host that installed or executed them should be treated as fully compromised. npm deprecated every malicious release; the clean latest is 2.2.3.
- Threat actor
- Miasma supply-chain worm
- Detected by
- SupplyChainAttack.org · GitHub Advisory Database · Snyk
- Also known as
- Miasma dbmux wave
- Ecosystems
- npm
- Packages tracked
- 1
What happened
dbmux is a database-management CLI ("A flexible database management CLI tool with persistent configuration") published since 2025-07-07 by maintainer bhagyamudgal. The package had been quiet since 2026-01-13 (last clean release 2.2.3) when, on 2026-06-04 and 2026-06-05, four out-of-band releases appeared:
2.2.4(2026-06-04) — patch bump on the current2.xbranch1.0.5(2026-06-04) — patch bump on the legacy1.xbranch, ~6 months after1.0.42.2.5(2026-06-05) — second patch on2.x1.0.6(2026-06-05) — second patch on1.x
The parallel-branch pattern is a classic post-takeover move: pushing a backdoored release on both the legacy and current branches maximises catchment across consumers pinning either range. GitHub Advisory GHSA-62wx-5f55-w8g2 was filed 2026-06-09 and classifies the four releases as CWE-506 Embedded Malicious Code, with the standard "any computer that has this package installed or running should be considered fully compromised" treatment.
Payload mechanics
Per SupplyChainAttack.org's report (shared with Cyber Security News and gbhackers), the malicious payload uses standard Node primitives — child_process.spawn, process.env scraping, file I/O on ~/.aws, ~/.ssh, ~/.npmrc, .env files in the working tree — and opens a covert command channel back to operator-controlled infrastructure. Because Node applications often run with developer credentials, build tokens, or CI secrets mounted into the runtime environment, the malware has a direct path to sensitive secrets and keys without needing any privilege escalation.
Detection and timeline
- 2026-06-04 03:55 UTC (approx) — first malicious versions (
1.0.5,2.2.4) published - 2026-06-05 — second wave (
1.0.6,2.2.5) published - 2026-06-09 — GitHub Advisory
GHSA-62wx-5f55-w8g2published; npm deprecates all four versions with reason "unauthorized security release from supply-chain activity" - 2026-06-09 — SupplyChainAttack.org / Cyber Security News public disclosure
- 2026-06-10 — gbhackers, Cyber Press, Snyk, Hacktron AI republish the advisory
Attribution — Miasma worm (npm-support assigned, 2026-06-21 update)
When the 2026-06-09 ingest catalogued this incident the attribution line read "actor unknown". Re-checking the npm registry on 2026-06-21, the deprecation tombstones that npm-support now ships on 1.0.5, 1.0.6, 2.2.4, and 2.2.5 explicitly read: "unauthorized release published by the Miasma supply-chain worm on 2026-06-04…". Snyk's advisory SNYK-JS-DBMUX-17223227 (published 2026-06-07, credit Guy Korolevski) corroborates the framing — the dbmux releases are described as a self-propagating cloud-secret stealer consistent with the Miasma signature already documented in the 2026-06-01 @redhat-cloud-services/* wave.
Snyk's analysis also surfaces a payload mechanic the original disclosure missed: the dropper is delivered via a malicious binding.gyp + package/index.js shadow entry-point rather than a postinstall lifecycle hook — the implant fires silently the moment the package is required, even when npm install --ignore-scripts is in effect. Defenders relying on ignore-scripts as a mitigation are NOT covered.
Affected packages (1)
- npm
dbmux1.0.51.0.62.2.42.2.5
Impact
- Arbitrary command execution on developer workstations and CI runners that ran
npm install dbmux - Covert C2 channel back to operator-controlled infrastructure via spawned Node child processes
- Theft of environment variables, local files, build secrets, and CI tokens mounted into the runtime
- Persistent backdoor: simple
npm uninstall dbmuxcannot guarantee removal once arbitrary code ran - Dual-branch poisoning increases blast radius: teams pinned to
^1.0.4(legacy) AND^2.2.3(current) both pulled malicious updates
What to do
- 1Pin
dbmuxto2.2.3(or any version<= 2.2.3/<= 1.0.4). Block1.0.5,1.0.6,2.2.4,2.2.5 - 2Treat any workstation or CI runner that executed a malicious version as fully compromised — re-image rather than clean
- 3Rotate from an uncompromised machine: AWS/GCP/Azure access keys, GitHub/GitLab/npm tokens, SSH keys, database passwords, and anything in
.envthat the affected host could read - 4Audit
npmpublish history under your team accounts for unexpected releases between 2026-06-04 and 2026-06-05 — the same actor may have reached other accounts in the same window - 5Enable npm 2FA with publish enforcement on every maintainer account; revoke any long-lived classic tokens
References
- GitHubGHSA-62wx-5f55-w8g2: Malicious code in dbmuxgithub.com
- npmdbmux on npm (1.0.5/1.0.6/2.2.4/2.2.5 deprecated)npmjs.com
- Hacktron AIdbmux 2.2.5 vulnerability reporthacktron.ai
- Snykdbmux security advisorysecurity.snyk.io
- SnykSNYK-JS-DBMUX-17223227: dbmux malicious code (self-propagating cloud-secret stealer)security.snyk.io