Close Menu
  • Home
  • News
  • Cyber Security
  • Internet of Things
  • Tips and Advice

Subscribe to Updates

Get the latest creative news from FooBar about art, design and business.

What's Hot

Anthropic’s Fable 5 and Mythos 5 Are Back with New Security Guardrails

July 1, 2026

Miasma Malware Targets npm Packages and GitHub Actions in Supply Chain Attack

July 1, 2026

Veil#Drop Uses Google Blogspot to Deploy PureLog Stealer

July 1, 2026
Facebook X (Twitter) Instagram
Wednesday, July 1
Facebook X (Twitter) Instagram Pinterest Vimeo
Cyberwire Daily
  • Home
  • News
  • Cyber Security
  • Internet of Things
  • Tips and Advice
Cyberwire Daily
Home»News»Miasma Malware Targets npm Packages and GitHub Actions in Supply Chain Attack
News

Miasma Malware Targets npm Packages and GitHub Actions in Supply Chain Attack

Team-CWDBy Team-CWDJuly 1, 2026No Comments5 Mins Read
Share Facebook Twitter Pinterest LinkedIn Tumblr Reddit Telegram Email
Share
Facebook Twitter LinkedIn Pinterest Email


Cybersecurity researchers have flagged yet another evolution of the supply chain attack linked to the Mini Shai-Hulud, Miasma, and Hades malware family that has compromised a new set of npm packages, even as it has propagated to the Go ecosystem.

“The latest activity includes malicious npm releases affecting LeoPlatform and RStreams packages, GitHub Actions workflow abuse, and a related Go module compromise involving the Verana Blockchain project,” Socket said.

The end goal of the campaign, as before, is to harvest developer or maintainer credentials and weaponize the stolen data to spread across package registries, repositories, and trusted developer workflows.

The list of affected packages is below –

  • hexo-deployer-wrangler@1.0.4
  • hexo-shoka-swiper@0.1.10
  • leo-auth@4.0.6
  • leo-aws@2.0.4
  • leo-cache@1.0.2
  • leo-cdk-lib@0.0.2
  • leo-cli@3.0.3
  • leo-config@1.1.1
  • leo-connector-elasticsearch@2.0.6
  • leo-connector-mongo@3.0.8
  • leo-connector-mysql@3.0.3
  • leo-connector-oracle@2.0.1
  • leo-connector-redshift@3.0.6
  • leo-cron@2.0.2
  • leo-logger@1.0.8
  • leo-sdk@6.0.19
  • leo-streams@2.0.1
  • prism-silq@1.0.1
  • rstreams-metrics@2.0.2
  • rstreams-shard-util@1.0.1
  • serverless-convention@2.0.4
  • serverless-leo@3.0.14
  • solo-nav@1.0.1
  • github.com/verana-labs/verana-blockchain@v0.10.1-dev.20 (Go)

It’s suspected that an npm developer account associated with the LeoPlatform (“czirker“) was breached, likely via leaked credentials, to enable the attack, allowing the threat actors to leverage an npm token belonging to the maintainer to push trojanized versions within a six-second window.

The new wave leverages many of the tactics observed in prior campaigns, including npm registry poisoning, binding.gyp install-time execution, Bun-staged JavaScript malware, GitHub dead-drop infrastructure, GitHub Actions secret theft, IDE and AI coding assistant persistence, and encrypted credential exfiltration.

The malicious npm packages, while lacking a lifecycle hook typically added to the package.json file, incorporates a binding.gyp file to execute arbitrary code during installation, resulting in the launch of a JavaScript loader that downloads and installs the Bun runtime if not present, and then initiate the stealer payload responsible for harvesting secrets, credentials, and tokens.

The malware, besides featuring a Russian locale killswitch and checking for the presence of endpoint security software, drops a workflow named “Run Copilot” to capture CI/CD environment secrets from the runner memory. The information is then uploaded to a public GitHub repository with description “Alright Lets See If This Works.” As of writing, there are 559 repositories matching the description.

The token relay marker has also witnessed a change in the latest iteration. While earlier waves used strings like “IfYouInvalidateThisTokenItWillNukeTheComputerOfTheOwner,” the current artifact uses “RevokeAndItGoesKaboom,” a string that has been used as GitHub dead drop resolver in connection with the recent compromise of the “codfish/semantic-release-action” GitHub Action.

“On June 24, 2026 at 15:39:06 UTC, an attacker force-pushed a malicious commit to codfish/semantic-release-action and redirected several version tags to point at the malicious commit,” StepSecurity said.

“Any workflow that ran against one of these tags after that timestamp executed the attacker’s payload directly inside the GitHub Actions runner. The payload steals GitHub OIDC tokens, harvests Personal Access Tokens matching known GitHub token patterns, encrypts the collected material with AES-128-GCM, and attempts to propagate a backdoor into other repositories accessible with the stolen credentials.”

This indicates that all these events are linked to the same operational cluster or tooling lineage. According to Endor Labs and OX Security, the malware also polls GitHub every hour for commits matching the string “firedalazer” to retrieve and execute the Hades variant of the malware.

“The Leo/RStreams package set is tied to cloud-native and serverless workloads,” JFrog said. “A compromise here can expose developer workstations, CI/CD systems, AWS-backed applications, GitHub repositories, package publishing credentials, and downstream package consumers.”

“The notable story is not that the payload is radically new. It is that Shai-Hulud continues to move across legitimate package ecosystems while changing just enough indicators to make stale detections less effective.”

What’s more, the poisoning of the Verana GitHub expands the scope of the campaign beyond npm. That having said, the attack employs the same Miasma execution pattern observed in malicious npm packages without relying on native Go module resolution or build logic.

“Unlike the npm packages, this sample does not rely on binding.gyp,” Socket explained. “The risk is source-repository execution: a developer who clones or opens the repository in a trusted IDE or AI coding assistant environment may trigger the payload through project configuration.”

“This reinforces the larger campaign theme: Miasma is moving across package ecosystems by targeting developer workflows, not just package-manager install hooks.”

Update

The Miasma Mini Shai-Hulud campaign targeting LeoPlatform and RStreams npm packages has also hit packages published under the @immobiliarelabs scope, targeting Backstage plugins used for GitLab and LDAP authentication packages on the npm registry. The list of affected packages is below –

  • @immobiliarelabs/backstage-plugin-gitlab
  • @immobiliarelabs/backstage-plugin-gitlab-backend
  • @immobiliarelabs/backstage-plugin-ldap-auth
  • @immobiliarelabs/backstage-plugin-ldap-auth-backend

It’s suspected that the compromise of the “codfish/semantic-release-action” GitHub Action may have been the upstream access path that enabled the attacker to gain access to publish malicious @immobiliarelabs package versions.

“The new ImmobiliareLabs activity follows the same broader campaign pattern: compromise trusted developer infrastructure, publish malicious package versions, stage JavaScript malware through Bun, steal developer and CI/CD secrets, and use the stolen access to propagate further,” Socket said.

“It is the expansion of the campaign into another legitimate open source maintainer scope, this time involving Backstage plugins that sit close to internal developer portals, source-control integrations, and authentication workflows.”

(The story was updated after publication on June 30, 2026, to reflect the latest developments.)



Source

Share. Facebook Twitter Pinterest LinkedIn Tumblr Email
Previous ArticleVeil#Drop Uses Google Blogspot to Deploy PureLog Stealer
Next Article Anthropic’s Fable 5 and Mythos 5 Are Back with New Security Guardrails
Team-CWD
  • Website

Related Posts

News

Anthropic’s Fable 5 and Mythos 5 Are Back with New Security Guardrails

July 1, 2026
News

Veil#Drop Uses Google Blogspot to Deploy PureLog Stealer

July 1, 2026
News

Chrome Ad Blocker with 10M+ Installs Found with Dormant Script Injection Capability

July 1, 2026
Add A Comment
Leave A Reply Cancel Reply

Latest News

North Korean Hackers Turn JSON Services into Covert Malware Delivery Channels

November 24, 202522 Views

macOS Stealer Campaign Uses “Cracked” App Lures to Bypass Apple Securi

September 7, 202517 Views

North Korean Hackers Target Crypto Firms with ClickFix and Zoom Lures

April 29, 202610 Views

Why SOC Burnout Can Be Avoided: Practical Steps

November 14, 20259 Views

Cyber M&A Roundup: Cyber Giants Strengthen AI Security Offerings

December 1, 20258 Views
Stay In Touch
  • Facebook
  • YouTube
  • TikTok
  • WhatsApp
  • Twitter
  • Instagram
Most Popular

North Korean Hackers Turn JSON Services into Covert Malware Delivery Channels

November 24, 202522 Views

macOS Stealer Campaign Uses “Cracked” App Lures to Bypass Apple Securi

September 7, 202517 Views

North Korean Hackers Target Crypto Firms with ClickFix and Zoom Lures

April 29, 202610 Views
Our Picks

What’s at stake if your employees post too much online

December 1, 2025

Mobile app permissions (still) matter more than you may think

February 27, 2026

Why LinkedIn is a hunting ground for threat actors – and how to protect yourself

January 16, 2026

Subscribe to Updates

Get the latest news from cyberwiredaily.com

Facebook X (Twitter) Instagram Pinterest
  • Home
  • Contact
  • Privacy Policy
  • Terms of Use
  • California Consumer Privacy Act (CCPA)
© 2026 All rights reserved.

Type above and press Enter to search. Press Esc to cancel.