Cybersecurity researchers have flagged yet another evolution of the supply chain attack linked to the Mini Shai-Hulud, Miasma, and Hades malware family that has compromised a new set of npm packages, even as it has propagated to the Go ecosystem.
"The latest activity includes malicious npm releases affecting LeoPlatform and RStreams packages, GitHub Actions workflow abuse, and a related Go module compromise involving the Verana Blockchain project," Socket said.
The end goal of the campaign, as before, is to harvest developer or maintainer credentials and weaponize the stolen data to spread across package registries, repositories, and trusted developer workflows.
The list of affected packages is below -
- hexo-deployer-wrangler@1.0.4
- hexo-shoka-swiper@0.1.10
- leo-auth@4.0.6
- leo-aws@2.0.4
- leo-cache@1.0.2
- leo-cdk-lib@0.0.2
- leo-cli@3.0.3
- leo-config@1.1.1
- leo-connector-elasticsearch@2.0.6
- leo-connector-mongo@3.0.8
- leo-connector-mysql@3.0.3
- leo-connector-oracle@2.0.1
- leo-connector-redshift@3.0.6
- leo-cron@2.0.2
- leo-logger@1.0.8
- leo-sdk@6.0.19
- leo-streams@2.0.1
- prism-silq@1.0.1
- rstreams-metrics@2.0.2
- rstreams-shard-util@1.0.1
- serverless-convention@2.0.4
- serverless-leo@3.0.14
- solo-nav@1.0.1
- github.com/verana-labs/verana-blockchain@v0.10.1-dev.20 (Go)
It's suspected that an npm developer account associated with the LeoPlatform ("czirker") was breached, likely via leaked credentials, to enable the attack, allowing the threat actors to leverage an npm token belonging to the maintainer to push trojanized versions within a six-second window.
The new wave leverages many of the tactics observed in prior campaigns, including npm registry poisoning, binding.gyp install-time execution, Bun-staged JavaScript malware, GitHub dead-drop infrastructure, GitHub Actions secret theft, IDE and AI coding assistant persistence, and encrypted credential exfiltration.
The malicious npm packages, while lacking a lifecycle hook typically added to the package.json file, incorporates a binding.gyp file to execute arbitrary code during installation, resulting in the launch of a JavaScript loader that downloads and installs the Bun runtime if not present, and then initiate the stealer payload responsible for harvesting secrets, credentials, and tokens.
The malware, besides featuring a Russian locale killswitch and checking for the presence of endpoint security software, drops a workflow named "Run Copilot" to capture CI/CD environment secrets from the runner memory. The information is then uploaded to a public GitHub repository with description "Alright Lets See If This Works." As of writing, there are 559 repositories matching the description.
The token relay marker has also witnessed a change in the latest iteration. While earlier waves used strings like "IfYouInvalidateThisTokenItWillNukeTheComputerOfTheOwner," the current artifact uses "RevokeAndItGoesKaboom," a string that has been used as GitHub dead drop resolver in connection with the recent compromise of the "codfish/semantic-release-action" GitHub Action.
"On June 24, 2026 at 15:39:06 UTC, an attacker force-pushed a malicious commit to codfish/semantic-release-action and redirected several version tags to point at the malicious commit," StepSecurity said.
"Any workflow that ran against one of these tags after that timestamp executed the attacker's payload directly inside the GitHub Actions runner. The payload steals GitHub OIDC tokens, harvests Personal Access Tokens matching known GitHub token patterns, encrypts the collected material with AES-128-GCM, and attempts to propagate a backdoor into other repositories accessible with the stolen credentials."
This indicates that all these events are linked to the same operational cluster or tooling lineage. According to Endor Labs and OX Security, the malware also polls GitHub every hour for commits matching the string "firedalazer" to retrieve and execute the Hades variant of the malware.
"The Leo/RStreams package set is tied to cloud-native and serverless workloads," JFrog said. "A compromise here can expose developer workstations, CI/CD systems, AWS-backed applications, GitHub repositories, package publishing credentials, and downstream package consumers."
"The notable story is not that the payload is radically new. It is that Shai-Hulud continues to move across legitimate package ecosystems while changing just enough indicators to make stale detections less effective."
What's more, the poisoning of the Verana GitHub expands the scope of the campaign beyond npm. That having said, the attack employs the same Miasma execution pattern observed in malicious npm packages without relying on native Go module resolution or build logic.
"Unlike the npm packages, this sample does not rely on binding.gyp," Socket explained. "The risk is source-repository execution: a developer who clones or opens the repository in a trusted IDE or AI coding assistant environment may trigger the payload through project configuration."
"This reinforces the larger campaign theme: Miasma is moving across package ecosystems by targeting developer workflows, not just package-manager install hooks."
Update
The Miasma Mini Shai-Hulud campaign targeting LeoPlatform and RStreams npm packages has also hit packages published under the @immobiliarelabs scope, targeting Backstage plugins used for GitLab and LDAP authentication packages on the npm registry. The list of affected packages is below -
- @immobiliarelabs/backstage-plugin-gitlab
- @immobiliarelabs/backstage-plugin-gitlab-backend
- @immobiliarelabs/backstage-plugin-ldap-auth
- @immobiliarelabs/backstage-plugin-ldap-auth-backend
It's suspected that the compromise of the "codfish/semantic-release-action" GitHub Action may have been the upstream access path that enabled the attacker to gain access to publish malicious @immobiliarelabs package versions.
"The new ImmobiliareLabs activity follows the same broader campaign pattern: compromise trusted developer infrastructure, publish malicious package versions, stage JavaScript malware through Bun, steal developer and CI/CD secrets, and use the stolen access to propagate further," Socket said.
"It is the expansion of the campaign into another legitimate open source maintainer scope, this time involving Backstage plugins that sit close to internal developer portals, source-control integrations, and authentication workflows."
(The story was updated after publication on June 30, 2026, to reflect the latest developments.)







