Latest wave affects legitimate @immobiliarelabs Backstage packages, with malicious npm releases published across GitLab and LDAP authentication plugin families on June 26, 2026.
Socket Threat Research is tracking a fresh compromise in the ongoing Miasma Mini Shai-Hulud supply chain campaign. The latest activity affects legitimate npm packages published under the @immobiliarelabs scope, including Backstage plugins used for GitLab integration and LDAP authentication.
This appears to be a continuation of the activity we reported yesterday involving LeoPlatform and RStreams npm packages, GitHub Actions workflow abuse, AI-agent persistence, and the Verana Go module/source-repository compromise. The new ImmobiliareLabs activity follows the same broader campaign pattern: compromise trusted developer infrastructure, publish malicious package versions, stage JavaScript malware through Bun, steal developer and CI/CD secrets, and use the stolen access to propagate further.
The important development is not a new malware family or a materially different payload. It is the expansion of the campaign into another legitimate open source maintainer scope, this time involving Backstage plugins that sit close to internal developer portals, source-control integrations, and authentication workflows.
This remains an ongoing investigation. Socket will continue updating the campaign tracker as additional affected artifacts, repository indicators, and exfiltration infrastructure are confirmed.
The publication pattern is consistent with a fast automated republish wave. Multiple historical versions were republished with malicious artifacts, suggesting the threat actor attempted to maximize exposure across users pinned to older major versions.
ImmobiliareLabs is the technology organization behind Immobiliare.it, a major Italian real estate platform. Public company materials describe Immobiliare.it as a leading property portal in Italy, with a large network of agencies, listings, and consumer traffic. ImmobiliareLabs also publicly emphasizes its use of open source, GitLab-based CI/CD, Kubernetes infrastructure, and public GitHub projects.
The compromised packages are Backstage plugins. Backstage is commonly used as an internal developer portal, where source-code metadata, service catalogs, CI/CD signals, authentication, and developer workflows converge. A compromise of packages used in that context is especially concerning because the install environment may have access to internal source-control tokens, package publishing credentials, CI/CD secrets, cloud credentials, or authentication-related configuration.
The GitLab plugin family is designed to surface GitLab project context inside Backstage. The LDAP Auth plugin family is designed to support LDAP authentication flows in Backstage deployments. The malware does not need to exploit GitLab or LDAP directly to create risk. It only needs to execute in the environment where these packages are installed or built.
Initial review of the @immobiliarelabs/backstage-plugin-gitlab@7.0.2 tarball shows a pattern that can mislead shallow package review. The normal dist/index.cjs.js entrypoint appears benign, but the malicious tarball adds a root-level index.js that decrypts and executes a hidden payload, bootstraps Bun if needed, and runs a second-stage script.
A reviewer who only inspects the declared application entrypoint or compiled dist output may miss the malicious execution path added at the package root. This follows the broader Miasma trend of hiding execution outside the most obvious package metadata, moving away from simple preinstall or postinstall scripts and toward less visible package-manager, build, workflow, and developer-tool triggers.
We are not re-running the full technical analysis here because the payload behavior continues the same pattern documented in yesterday’s coverage:
Install-time execution via "Phantom Gyp" binding.gyp trick: node-gyp command expansion invokes node index.js without relying on preinstall or postinstall hooks.
Root index.js is a single-line Caesar-shift followed by AES-128-GCM decryption and multi-stage payload delivery.
Third-stage payload runs under Bun v1.3.13, downloads if absent, and executes the final malware.
Plants persistence hooks in AI-coding-assistant plugins and IDE extensions.
Exfiltrates stolen secrets via the GitHub API to attacker-controlled repositories.
The payload also preserves a distinctive campaign marker observed in prior Miasma activity: thebeautifulsnadsoftime . The string appears inside obfuscated payload material and is useful as a clustering indicator because of its unusual spelling and reuse across waves. The phrase may be an intentional misspelling of “the beautiful sands of time”, possibly echoing the pop-culture naming pattern seen in earlier Miasma artifacts, including prior video game-themed references.
The ImmobiliareLabs wave also includes a GitHub Actions lead. A public run in immobiliare/backstage-plugin-gitlab shows a workflow named Dependabot Updates, triggered via deployment on June 26, 2026 at 15:00 UTC, associated with the simonecorsi account, and completing successfully. The workflow view shows release.yml configured with on: deployment.
Possible upstream compromise path: codfish/semantic-release-action#
One additional lead points to the compromised codfish/semantic-release-action as a possible upstream access path affecting the simonecorsi account and related release automation. Public GitHub code search shows repositories under the simonecorsi organization referencing codfish/semantic-release-action, a third-party GitHub Action used to run semantic-release in CI/CD release workflows.
The codfish/semantic-release-action was itself compromised on June 24, 2026. StepSecurity reported that an attacker force-pushed malicious commits and repointed mutable version tags, causing downstream workflows that referenced those tags to execute attacker-controlled code inside GitHub Actions runners. The malicious action converted the original Docker-based action into a composite action, installed Bun, and executed an obfuscated JavaScript payload. StepSecurity also reported that the payload targeted GitHub OIDC tokens, GitHub personal access tokens, and CI/CD secrets, and attempted follow-on repository compromise.
This provides a plausible route from a compromised third-party GitHub Action into release automation for projects that used codfish/semantic-release-action by mutable tag rather than immutable commit SHA. If a simonecorsi-controlled workflow executed the compromised action with npm publishing credentials, GitHub tokens, or deployment permissions available to the runner, the attacker could have gained the access needed to publish malicious @immobiliarelabs package versions or trigger follow-on GitHub Actions activity.
We do not assess this as confirmed root cause without runner logs, token-use telemetry, or maintainer confirmation. However, the timing, the use of semantic-release automation, the tag-hijacking technique, and the later ImmobiliareLabs package publish burst make codfish/semantic-release-action a high-priority lead for incident reconstruction.
Security researcher Adnan Khan publicly warned that an unpatched GitHub Actions privilege-escalation issue could allow attackers to dump Actions secrets or abuse OIDC without the workflow OAuth scope, and recommended blocking the technique by restricting workflow execution on the deployment trigger.
Socket’s analysis of the Miasma activity aligns with the risk Khan described. GitHub’s deployment event is designed to run a workflow when a deployment is created in a repository. In the attack pattern referenced by Khan, an attacker does not need to make a straightforward commit that permanently modifies a workflow file on the default branch. Instead, the attacker can create temporary Git objects containing a workflow, make the commit reachable, create a deployment that targets that commit, and trigger workflow execution through the deployment event.
The workflow scope is intended to gate changes to GitHub Actions workflow files. A deployment-triggered path creates a different abuse primitive: workflow execution can be reached through repository and deployment APIs rather than through an obvious workflow-file update. If the targeted workflow has access to npm publishing credentials, GitHub tokens, cloud OIDC roles, or environment secrets, the attacker can turn a repository compromise into package publication, secret theft, and broader CI/CD compromise.
This provides a plausible explanation for the “Dependabot Updates” camouflage in the ImmobiliareLabs repository. A workflow name that appears to describe normal dependency maintenance can hide a deployment-triggered release path, especially if defenders only review pushes, pull requests, or direct modifications to .github/workflows.
GitHub recently introduced workflow execution protections in public preview, allowing organizations and repositories to restrict who can trigger workflows and which events are allowed to run them. Defenders should treat deployment as a high-risk workflow trigger unless it is explicitly required, tightly scoped, and protected by environment rules, branch restrictions, and actor/event allow lists.
This campaign shows why CI/CD event surfaces need to be reviewed as execution boundaries, not just automation conveniences. For Miasma, GitHub Actions is not only a place where secrets can be stolen. It is also a propagation engine: a compromised token or maintainer account can trigger release automation, publish malicious package versions, and create the next wave of infections.
Socket also observed a surge in exfiltration repositories occurring alongside the compromise of packages in the @immobiliarelabs scope. Miasma is designed to turn one compromise into many. Package installation can expose npm tokens, GitHub tokens, cloud credentials, and CI/CD secrets. GitHub tokens can then be used to create repositories, upload encrypted data, modify workflows, poison source repositories, or prepare additional propagation paths.
At this stage, the safest interpretation is that the ImmobiliareLabs package compromise is part of an active propagation wave, not an isolated malicious publish event. Teams should assume that any environment that installed the affected versions may have exposed credentials, even if the package’s normal Backstage functionality appears to work.
Teams that installed any affected ImmobiliareLabs package version should treat the installing environment as compromised until reviewed.
Recommended response:
Identify all developer machines, CI runners, build containers, and Backstage environments that installed or built the affected versions.
Remove the affected versions and restore from known-good package versions and lockfiles.
Rotate npm, GitHub, GitLab, cloud, Kubernetes, Docker, Vault, SSH, Slack, Twilio, and CI/CD secrets exposed to affected environments.
Rotate credentials from a clean machine, not from the potentially infected host.
Review GitHub Actions runs around June 26, 2026, especially deployment-triggered workflows, unexpected release workflows, and workflows named like routine automation.
Audit repositories for injected .github workflows, .github/setup.js, root-level index.js, _index.js, .gemini/settings.json, .claude hooks, .vscode tasks, Cursor rules, and unexplained Bun usage.
Inspect npm publishing workflows for broad tokens, mutable secrets, and excessive GitHub Actions permissions.
Revoke or rotate long-lived maintainer tokens, including tokens used by release automation such as GitHub personal access tokens and npm publishing credentials.
Pin GitHub Actions to immutable full-length commit SHAs where possible.
Restrict publishing workflows to protected branches and minimize OIDC, contents, actions, and package permissions.
The ImmobiliareLabs compromise is a new wave of the same broader Miasma Mini Shai-Hulud campaign we reported on yesterday. Some indicators are specific to this wave, including the affected @immobiliarelabs package versions and the GitHub Actions activity tied to the ImmobiliareLabs repositories. Other indicators overlap with the previous LeoPlatform, RStreams, Verana, and GitHub Actions activity, because the campaign continues to reuse the same execution patterns, staging logic, repository-poisoning techniques, AI/IDE persistence paths, and credential-theft objectives.
Defenders should therefore treat the indicators below as additive to the campaign-level IOCs published in our previous report, not as a standalone set. In particular, teams should continue hunting for Miasma’s shared markers: unexpected binding.gyp files in packages that should not require native builds, large obfuscated index.js or _index.js payloads, Bun download or execution activity, injected .github workflows, AI coding assistant configuration hooks, suspicious Dependabot- or Copilot-themed workflow names, and campaign strings such as RevokeAndItGoesKaboom and Alright Lets See If This Works.
The wave-specific indicators below focus on the ImmobiliareLabs package compromise and related GitHub Actions activity observed on June 26, 2026.
Mini Shai-Hulud, Miasma, and Hades affected packages
More than 140 Mastra npm packages were compromised in a supply chain attack that used a typosquatted dependency to deliver a cross-platform infostealer during installation.