Cybersecurity researchers have flagged yet another evolution of the supply chain attack linked to the Mini Shai-Hulud, Miasma, and Hades malware family that has compromised a new set of npm packages, even as it has propagated to the Go ecosystem.
“The latest activity includes malicious npm releases affecting LeoPlatform and RStreams packages, GitHub Actions workflow abuse, and a related Go module compromise involving the Verana Blockchain project,” Socket said.
The end goal of the campaign, as before, is to harvest developer or maintainer credentials and weaponize the stolen data to spread across package registries, repositories, and trusted developer workflows.
The list of affected packages is below –
- hexo-deployer-wrangler@1.0.4
- hexo-shoka-swiper@0.1.10
- leo-auth@4.0.6
- leo-aws@2.0.4
- leo-cache@1.0.2
- leo-cdk-lib@0.0.2
- leo-cli@3.0.3
- leo-config@1.1.1
- leo-connector-elasticsearch@2.0.6
- leo-connector-mongo@3.0.8
- leo-connector-mysql@3.0.3
- leo-connector-oracle@2.0.1
- leo-connector-redshift@3.0.6
- leo-cron@2.0.2
- leo-logger@1.0.8
- leo-sdk@6.0.19
- leo-streams@2.0.1
- prism-silq@1.0.1
- rstreams-metrics@2.0.2
- rstreams-shard-util@1.0.1
- serverless-convention@2.0.4
- serverless-leo@3.0.14
- solo-nav@1.0.1
- github.com/verana-labs/verana-blockchain@v0.10.1-dev.20 (Go)
It’s suspected that an npm developer account associated with the LeoPlatform (“czirker”) was breached, likely via leaked credentials, to enable the attack, allowing the threat actors to leverage an npm token belonging to the maintainer to push trojanized versions within a six-second window.
The new wave leverages many of the tactics observed in prior campaigns, including npm registry poisoning, binding.gyp install-time execution, Bun-staged JavaScript malware, GitHub dead-drop infrastructure, GitHub Actions secret theft, IDE and AI coding assistant persistence, and encrypted credential exfiltration.
The malicious npm packages, while lacking a lifecycle hook typically added to the package.json file, incorporates a binding.gyp file to execute arbitrary code during installation, resulting in the launch of a JavaScript loader that downloads and installs the Bun runtime if not present, and then initiate the stealer payload responsible for harvesting secrets, credentials, and tokens.
The malware, besides featuring a Russian locale killswitch and checking for the presence of endpoint security software, drops a workflow named “Run Copilot” to capture CI/CD environment secrets from the runner memory. The information is then uploaded to a public GitHub repository with description “Alright Lets See If This Works.” As of writing, there are 559 repositories matching the description.
The token relay marker has also witnessed a change in the latest iteration. While earlier waves used strings like “IfYouInvalidateThisTokenItWillNukeTheComputerOfTheOwner,” the current artifact uses “RevokeAndItGoesKaboom,” a string that has been used as GitHub dead drop resolver in connection with the recent compromise of the “codfish/semantic-release-action” GitHub Action.
“On June 24, 2026 at 15:39:06 UTC, an attacker force-pushed a malicious commit to codfish/semantic-release-action and redirected several version tags to point at the malicious commit,” StepSecurity said.
“Any workflow that ran against one of these tags after that timestamp executed the attacker’s payload directly inside the GitHub Actions runner. The payload steals GitHub OIDC tokens, harvests Personal Access Tokens matching known GitHub token patterns, encrypts the collected material with AES-128-GCM, and attempts to propagate a backdoor into other repositories accessible with the stolen credentials.”
This indicates that all these events are linked to the same operational cluster or tooling lineage. According to Endor Labs and OX Security, the malware also polls GitHub every hour for commits matching the string “firedalazer” to retrieve and execute the Hades variant of the malware.
“The Leo/RStreams package set is tied to cloud-native and serverless workloads,” JFrog said. “A compromise here can expose developer workstations, CI/CD systems, AWS-backed applications, GitHub repositories, package publishing credentials, and downstream package consumers.”
“The notable story is not that the payload is radically new. It is that Shai-Hulud continues to move across legitimate package ecosystems while changing just enough indicators to make stale detections less effective.”
What’s more, the poisoning of the Verana GitHub expands the scope of the campaign beyond npm. That having said, the attack employs the same Miasma execution pattern observed in malicious npm packages without relying on native Go module resolution or build logic.
“Unlike the npm packages, this sample does not rely on binding.gyp,” Socket explained. “The risk is source-repository execution: a developer who clones or opens the repository in a trusted IDE or AI coding assistant environment may trigger the payload through project configuration.”
“This reinforces the larger campaign theme: Miasma is moving across package ecosystems by targeting developer workflows, not just package-manager install hooks.”
