{"slug": "miasma-mini-shai-hulud-hits-leoplatform-npm-packages-and-github-actions-expands", "title": "Miasma Mini Shai-Hulud Hits LeoPlatform npm Packages and GitHub Actions, Expands to the Go Ecosystem", "summary": "A new supply chain attack wave from the Mini Shai-Hulud, Miasma, and Hades malware family has compromised LeoPlatform and RStreams npm packages, GitHub Actions workflows, and the Verana Blockchain Go module, using malicious npm releases, GitHub Actions secret theft, and AI coding assistant persistence to steal credentials and spread across developer ecosystems.", "body_md": "Security News\n\n[Frontier AI Is Now Critical Infrastructure](/blog/frontier-ai-is-now-critical-infrastructure)\n\nThe Fable shutdown shows how quickly model access can become a business continuity risk for AI-dependent engineering teams.\n\nMini Shai-Hulud expands into the Go ecosystem after hitting LeoPlatform npm packages and targeting GitHub Actions workflows.\n\nJune 25, 2026\n\n9 min read\n\nLatest wave affects LeoPlatform/RStreams npm packages, three`llxlr`\n\n-published npm packages, the Verana Blockchain Go module, and GitHub Actions/developer-tool workflows.\n\nSocket Threat Research is tracking a new supply chain attack wave tied to the Mini Shai-Hulud, Miasma, and Hades malware family. The latest activity includes malicious npm releases affecting `LeoPlatform`\n\nand `RStreams`\n\npackages, GitHub Actions workflow abuse, and a related Go module compromise involving the Verana Blockchain project. While many of the affected npm packages were published through the `czirker`\n\naccount, the activity is not limited to that publisher: three additional malicious packages, `hexo-deployer-wrangler`\n\n, `hexo-shoka-swiper`\n\n, and `prism-silq`\n\n, were published by the npm user [ llxlr](https://socket.dev/npm/user/llxlr).\n\nThis wave combines npm registry poisoning, `binding.gyp`\n\ninstall-time execution, Bun-staged JavaScript malware, GitHub dead-drop infrastructure, GitHub Actions secret theft, AI coding assistant persistence, developer-tool execution hooks, and encrypted credential exfiltration. The campaign overlaps with recent GitHub Actions compromises that use the same operational markers, including `RevokeAndItGoesKaboom`\n\n.\n\nThe Verana finding expands the campaign beyond npm, but the execution path is not Go-native. The malicious payload is staged through source-repository configuration, including Claude and VS Code hooks, meaning a developer may trigger it by opening or working in the repository rather than by normal Go module build logic.\n\nThe campaign continues the pattern seen across recent Mini Shai-Hulud, Miasma, and Hades waves: compromise developer or maintainer credentials, plant a small execution trigger, stage a larger obfuscated payload through Bun, steal secrets from developer and CI/CD environments, and use the stolen access to spread across package registries, repositories, and trusted developer workflows.\n\nSocket has been tracking this broader Mini Shai-Hulud, Miasma, and Hades activity across prior campaigns, including earlier coverage \"[Shai-Hulud Descends to Hades: Miasma Worm Campaign Spreads with New PyPI Wave](https://socket.dev/blog/shai-hulud-descends-to-hades-miasma-pypi-wave)\" and \"[Mini Shai-Hulud, Miasma, and Hades Worms Target Bioinformatics and MCP Developers via Malicious PyPI Wheels](https://socket.dev/blog/mini-shai-hulud-miasma-and-hades-worms-target-bioinformatics-and-mcp-developers-via-malicious)\".\n\nThe Go security team acted quickly after we notified them, promptly reviewing the report and coordinating remediation. Socket [notified Verana maintainers on GitHub](https://github.com/verana-labs/verana/issues/350) to alert them to the compromise.\n\nThe malicious npm releases were published in a tight window on June 24, 2026. The affected packages are part of the LeoPlatform and RStreams ecosystems, including SDK, CLI, AWS, cron, logging, connector, and serverless packages used in data pipeline and cloud integration workflows.\n\nThe package set includes the following affected versions:\n\n`hexo-deployer-wrangler@1.0.4`\n\n`hexo-shoka-swiper@0.1.10`\n\n`leo-auth@4.0.6`\n\n`leo-aws@2.0.4`\n\n`leo-cache@1.0.2`\n\n`leo-cdk-lib@0.0.2`\n\n`leo-cli@3.0.3`\n\n`leo-config@1.1.1`\n\n`leo-connector-elasticsearch@2.0.6`\n\n`leo-connector-mongo@3.0.8`\n\n`leo-connector-mysql@3.0.3`\n\n`leo-connector-oracle@2.0.1`\n\n`leo-connector-redshift@3.0.6`\n\n`leo-cron@2.0.2`\n\n`leo-logger@1.0.8`\n\n`leo-sdk@6.0.19`\n\n`leo-streams@2.0.1`\n\n`prism-silq@1.0.1`\n\n`rstreams-metrics@2.0.2`\n\n`rstreams-shard-util@1.0.1`\n\n`serverless-convention@2.0.4`\n\n`serverless-leo@3.0.14`\n\n`solo-nav@1.0.1`\n\nThis remains an ongoing investigation, and we will continue to update our findings as new information comes to light. We are tracking the full campaign on a dedicated page, with all affected artifacts added as they are identified: [https://socket.dev/supply-chain-attacks/miasma-mini-shai-hulud-supply-chain-attack](https://socket.dev/supply-chain-attacks/miasma-mini-shai-hulud-supply-chain-attack).\n\n`binding.gyp`\n\nThe current LeoPlatform wave uses the “Phantom Gyp” execution pattern that has become a defining feature of newer Miasma activity. Instead of relying on a visible `preinstall`\n\nor `postinstall`\n\nscript in `package.json`\n\n, the malicious packages add a `binding.gyp`\n\nfile. npm automatically invokes `node-gyp`\n\nwhen this file is present. The malicious `binding.gyp`\n\nuses command expansion to execute JavaScript during the build configuration phase.\n\nA package with no obvious `preinstall`\n\nscript can still execute arbitrary code during installation if `binding.gyp`\n\nis present and invokes a shell expansion. In the LeoPlatform packages, the trigger executes the package’s replaced `index.js`\n\n, which is no longer normal library code. It is a large one-line JavaScript loader.\n\nThe loader follows the Miasma/Hades pattern. The first layer uses a Caesar-style letter shift and immediate `eval()`\n\nexecution. The next layer decrypts embedded AES-GCM payloads. The final payload uses JavaScript-obfuscator-style string hiding, lookup tables, and runtime reconstruction of meaningful strings.\n\nThe loader also adds or relies on Bun. If Bun is not present, the malware attempts to download or install it, then runs the main payload through `bun run`\n\n. This continues a broader shift in the campaign toward Bun-staged malware, likely because many Node.js-focused security hooks and runtime controls do not observe Bun execution with the same depth.\n\nThe high-level execution chain is:\n\n`binding.gyp`\n\n`node-gyp`\n\nexecutes the embedded command expansion`index.js`\n\ndecodes and evaluates the first-stage loaderThe payload is designed for environments where source code, cloud identity, package publishing, and AI coding tools overlap. The current activity shows collection logic for `.env`\n\nfiles, npm and PyPI tokens, GitHub tokens, Slack tokens, Twilio tokens, SSH keys, Docker authentication files, Kubernetes configs, AWS credentials, Azure credentials, GCP credentials, Vault data, shell history, CI secrets, and IDE or AI-agent configuration paths.\n\nThe payload also performs security product checks for common EDR, endpoint, and fleet tooling, including CrowdStrike, SentinelOne, Microsoft Defender, Carbon Black, Cylance, osquery, Tanium, Qualys, and others. Like earlier Miasma activity, it includes a Russian locale guard.\n\nThe credential target list is not random. It reflects a worm built to move through software supply chains. Package registry credentials allow malicious republishes. GitHub tokens allow repository poisoning. CI/CD secrets allow cloud and production access. AI-agent configuration files allow persistence on developer machines.\n\nThis wave heavily targets GitHub Actions. The malware searches for workflows that publish packages, especially workflows using npm publishing, yarn publishing, GitHub OIDC, or package registry tokens. In CI environments, it attempts to collect secrets directly from the runner context and from runner memory. It also uses GitHub API behavior for staging and exfiltration, including repository creation and content upload paths.\n\nA recurring workflow template in this family is named `Run Copilot`\n\n. Its purpose is not to run Copilot. It is designed to blend in with AI-assisted development workflows while dumping GitHub Actions secrets into an uploaded artifact.\n\nSeparately, the LeoPlatform compromise included repository-level poisoning. Public reporting describes orphan `snapshot-*`\n\nbranches pushed to LeoPlatform repositories, with a fake dependency-update workflow and a large `_index.js`\n\npayload. The workflow was named to look like Dependabot activity and requested GitHub Actions permissions relevant to publishing.\n\nThe important point for defenders is that this is not only an npm install problem. If the malware has a GitHub token with sufficient scope, it can alter repositories, add workflows, poison branches, and plant persistence hooks that fire later.\n\n`RevokeAndItGoesKaboom`\n\nconnects the LeoPlatform wave to GitHub Actions compromisesOne of the strongest campaign-level markers is `RevokeAndItGoesKaboom`\n\n. This marker appears in the LeoPlatform/Miasma activity and in the codfish/semantic-release-action compromise documented by StepSecurity. In the codfish case, the malicious action searched GitHub commits for `RevokeAndItGoesKaboom`\n\nmessages and used them as an operator token dead-drop channel.\n\nThe same marker now appears in GitHub commit search results associated with repositories created during the “Alright Lets See If This Works” wave. This links the npm package compromise, GitHub dead-drop behavior, and GitHub Actions compromises into the same operational cluster or tooling lineage.\n\nThe codfish/semantic-release-action compromise is important context for this wave. In that incident, attackers force-pushed malicious commits and repointed version tags so downstream workflows using mutable tags executed attacker-controlled code inside GitHub Actions runners. The malicious action switched execution toward Bun and ran obfuscated JavaScript from the action context.\n\nThe same broader tradecraft appears again: Bun runtime staging, GitHub token theft, encrypted collection, GitHub API exfiltration, AI coding assistant persistence, and Russian locale checks.\n\nOne additional investigative lead is the project’s workflow hardening after the compromise. A merged fix changed a validation workflow away from `pull_request_target`\n\n, while the prior workflow combined `pull_request_target`\n\nwith checkout of the pull request head SHA. That pattern is a known “pwn request” risk because it can execute untrusted pull request code in a privileged base-repository context.\n\nCompromise of this action has a potential to cause additional cascading infections of the dependent GitHub repositories. Official GitHub numbers state that 1,442 repositories depend on this action, which should be a reason to monitor this campaign in the upcoming days.\n\nMiasma’s AI-agent targeting remains one of its clearest differentiators. The malware plants hooks for developer tools and coding agents, including Claude, VS Code, Cursor, Gemini, Copilot-related configuration paths, and other agent or IDE ecosystems. These hooks are designed to execute the payload when a developer opens a repository, starts an agent session, or triggers a folder-open task.\n\nThis turns a poisoned repository into a delayed execution surface. A developer may clone or pull a repository after the original npm compromise has been remediated, open it in an IDE or AI coding tool, and trigger the malware locally.\n\nThis is why cleanup cannot stop at removing malicious package versions. Teams also need to audit repositories for injected configuration files, suspicious folder-open tasks, Claude or Gemini session hooks, Cursor rules, and `.github/setup.js`\n\nor `_index.js`\n\npayloads.\n\nSocket also identified the same payload family in a Go module/source archive for [ github.com/verana-labs/verana-blockchain@v0.10.1-dev.20](http://github.com/verana-labs/verana-blockchain@v0.10.1-dev.20https://socket.dev/go/package/github.com/verana-labs/verana-blockchain?version=v0.10.1-dev.20), associated with the Verana Blockchain project. Verana is a Cosmos SDK-based Layer 1 implementation of a Verifiable Public Registry for decentralized trust ecosystems.\n\nThis finding expands the campaign beyond npm package installation. The archive contains a large obfuscated payload at [ .claude/index.js](https://socket.dev/go/package/github.com/verana-labs/verana-blockchain?section=files&version=v0.10.1-dev.20&path=.claude%2Findex.js), Bun launcher scripts at\n\n`.claude/setup.mjs`\n\nand `.vscode/setup.mjs`\n\n, and a VS Code folder-open task that executes `node .claude/setup.mjs`\n\n. The launcher downloads or resolves Bun, then runs the obfuscated payload.The payload follows the same Miasma execution pattern observed in malicious npm packages: ROT-style decoding, immediate `eval()`\n\n, AES-GCM-decrypted embedded stages, Bun-staged execution, broad developer and CI/CD secret collection, GitHub Actions and OIDC abuse, encrypted exfiltration, AI/IDE hook persistence, and EDR/security tooling checks.\n\nUnlike the npm packages, this sample does not rely on `binding.gyp`\n\n. The risk is source-repository execution: a developer who clones or opens the repository in a trusted IDE or AI coding assistant environment may trigger the payload through project configuration. This reinforces the larger campaign theme: Miasma is moving across package ecosystems by targeting developer workflows, not just package-manager install hooks.\n\nTeams that installed any affected package version should treat the installing environment as compromised until reviewed.\n\nRecommended response:\n\n`.github/setup.js`\n\n, `_index.js`\n\n, orphan branches, suspicious Dependabot-like commits, and unexplained Bun usage.`pull_request_target`\n\n, especially workflows that check out pull request head code or run build/test commands on untrusted pull request content.`binding.gyp`\n\n: `32d1bc728d8e504952083a6adc488c309a401c7df4dc8f47b382ce32e4aebe21`\n\n`leo-logger@1.0.8`\n\n— `index.js`\n\n: `57ba86f6f0caaa580c1dccdf4ed7873d1470e5ea2f8e9ca7a989dc04899f13c0`\n\n`leo-logger@1.0.8`\n\n— `package.json`\n\n: `4a0aa78757958683155a7b9289427fb829abcad1bf5ee6399eb73e8409b0bc11`\n\n`leo-sdk@6.0.19`\n\n— `index.js`\n\n: `026588d39b7c650b5c0dfbba6c6fcc0e7ec8e3b72ba8639012e7f71c708f2c3b`\n\n`leo-auth@4.0.6`\n\n— `index.js`\n\n: `df9ea0c71574e11c93141ad2f018a63a5375cd6d69ca2f744732ad7814170657`\n\n`leo-aws@2.0.4`\n\n— `index.js`\n\n: `1a3b9ed0b377f56f49b9a703612cf45e86ab7d100587e1e7a476d809fe337a8c`\n\n`leo-sdk@6.0.19`\n\n— npm tarball: `f565988f281bf77bcad26ea7f543617e53da4b62f5df63d4f7a89bae1729cf81`\n\n`leo-auth@4.0.6`\n\n— npm tarball: `a934a5bcf692b9d01e8129bf264be23809dfee464df471d75a9f3fa1bcede343`\n\n`leo-aws@2.0.4`\n\n— npm tarball: `f7c47be306351ffacd46584d2067f7be676dbfe17cd89ab4880632decfe18f3d`\n\n`leo-cli@3.0.3`\n\n— npm tarball: `3da2ca129c9920d9acd2e3477aee8f46b5a5f0e9537ad6e7b6ab1df1007adad1`\n\n`binding.gyp`\n\nadded to packages that previously did not require native build behavior`index.js`\n\nreplaced with a very large single-line obfuscated payload`bun`\n\ndependency in `package.json`\n\n`_index.js`\n\npayloads in GitHub repositories`.github/setup.js`\n\npayloads in poisoned repositories`.claude/settings.json`\n\n`.claude/setup.mjs`\n\n`.gemini/settings.json`\n\n`.cursor/rules/setup.mdc`\n\n`.vscode/tasks.json`\n\nwith folder-open execution behavior`node-gyp rebuild`\n\nactivity in packages that should be pure JavaScript`Alright Lets See If This Works`\n\n`RevokeAndItGoesKaboom`\n\n`TheBeautifulSandsOfTime`\n\n`thebeautifulmarchoftime`\n\n`thebeautifulsnadsoftime`\n\n`verana-blockchain-v0.10.1-dev.20.zip`\n\n: `b3e217f4354e8a4383038b99b0bcaeaff191a79df58e7a1f2355a79aac2faf13`\n\n`.claude/index.js`\n\n: `15b415ae41df72acf1f7e9e67569531d41dee62d089d34b4c0fab0c7fe5cc14f`\n\n`.claude/setup.mjs`\n\n: `6cb3fc3650355973b8a1ed86619a3f412fb0700f29c1c3a736cada4c2c76a9f7`\n\n`.vscode/setup.mjs`\n\n: `6cb3fc3650355973b8a1ed86619a3f412fb0700f29c1c3a736cada4c2c76a9f7`\n\n`.claude/settings.json`\n\n: `6a861a479f45fe53f067091414332248bc027ffc396116811d12e57a6ff71250`\n\n`.vscode/tasks.json`\n\n: `927387d0cfac1118df4b383decc2ea6ba49c9d2f98b47098bcbcba1efc026e1f`\n\n`1a0e1daeaea87cab5610a3cc2aa72e7c6f1abfe55959a156368bcfa6585fa6ce`\n\n`ceff7c51d70832c3ec8dd2744b606a23b3c924ef664ae23439b9b742ea154108`\n\n`9f93d77d32833a515bc406c46da477142bb1ac2babeecb6aa42f98669a6db015`\n\nSubscribe to our newsletter\n\nGet notified when we publish new security blog posts!\n\nSecurity News\n\nThe Fable shutdown shows how quickly model access can become a business continuity risk for AI-dependent engineering teams.\n\nSecurity News\n\nAI agents are pulling packages into environments no scanner is watching, creating exposure before security teams can see it.\n\nSecurity News\n\nGitHub Actions checkout now blocks risky pull_request_target checkouts by default to help prevent pwn request supply chain attacks.", "url": "https://wpnews.pro/news/miasma-mini-shai-hulud-hits-leoplatform-npm-packages-and-github-actions-expands", "canonical_source": "https://socket.dev/blog/miasma-mini-shai-hulud-hits-leoplatform-npm-packages-go-ecosystem?utm_medium=feed", "published_at": "2026-06-25 17:44:04+00:00", "updated_at": "2026-06-25 18:49:08.372308+00:00", "lang": "en", "topics": ["ai-safety", "ai-tools", "developer-tools"], "entities": ["LeoPlatform", "RStreams", "Verana Blockchain", "GitHub Actions", "Socket", "Mini Shai-Hulud", "Miasma", "Hades"], "alternates": {"html": "https://wpnews.pro/news/miasma-mini-shai-hulud-hits-leoplatform-npm-packages-and-github-actions-expands", "markdown": "https://wpnews.pro/news/miasma-mini-shai-hulud-hits-leoplatform-npm-packages-and-github-actions-expands.md", "text": "https://wpnews.pro/news/miasma-mini-shai-hulud-hits-leoplatform-npm-packages-and-github-actions-expands.txt", "jsonld": "https://wpnews.pro/news/miasma-mini-shai-hulud-hits-leoplatform-npm-packages-and-github-actions-expands.jsonld"}}