# Miasma Mini Shai-Hulud Hits LeoPlatform npm Packages and GitHub Actions, Expands to the Go Ecosystem > Source: > Published: 2026-06-25 17:44:04+00:00 Security News [Frontier AI Is Now Critical Infrastructure](/blog/frontier-ai-is-now-critical-infrastructure) The Fable shutdown shows how quickly model access can become a business continuity risk for AI-dependent engineering teams. Mini Shai-Hulud expands into the Go ecosystem after hitting LeoPlatform npm packages and targeting GitHub Actions workflows. June 25, 2026 9 min read Latest wave affects LeoPlatform/RStreams npm packages, three`llxlr` -published npm packages, the Verana Blockchain Go module, and GitHub Actions/developer-tool workflows. Socket Threat Research is tracking a new supply chain attack wave tied to the Mini Shai-Hulud, Miasma, and Hades malware family. The latest activity includes malicious npm releases affecting `LeoPlatform` and `RStreams` packages, GitHub Actions workflow abuse, and a related Go module compromise involving the Verana Blockchain project. While many of the affected npm packages were published through the `czirker` account, the activity is not limited to that publisher: three additional malicious packages, `hexo-deployer-wrangler` , `hexo-shoka-swiper` , and `prism-silq` , were published by the npm user [ llxlr](https://socket.dev/npm/user/llxlr). This wave combines npm registry poisoning, `binding.gyp` install-time execution, Bun-staged JavaScript malware, GitHub dead-drop infrastructure, GitHub Actions secret theft, AI coding assistant persistence, developer-tool execution hooks, and encrypted credential exfiltration. The campaign overlaps with recent GitHub Actions compromises that use the same operational markers, including `RevokeAndItGoesKaboom` . The Verana finding expands the campaign beyond npm, but the execution path is not Go-native. The malicious payload is staged through source-repository configuration, including Claude and VS Code hooks, meaning a developer may trigger it by opening or working in the repository rather than by normal Go module build logic. The campaign continues the pattern seen across recent Mini Shai-Hulud, Miasma, and Hades waves: compromise developer or maintainer credentials, plant a small execution trigger, stage a larger obfuscated payload through Bun, steal secrets from developer and CI/CD environments, and use the stolen access to spread across package registries, repositories, and trusted developer workflows. Socket has been tracking this broader Mini Shai-Hulud, Miasma, and Hades activity across prior campaigns, including earlier coverage "[Shai-Hulud Descends to Hades: Miasma Worm Campaign Spreads with New PyPI Wave](https://socket.dev/blog/shai-hulud-descends-to-hades-miasma-pypi-wave)" and "[Mini Shai-Hulud, Miasma, and Hades Worms Target Bioinformatics and MCP Developers via Malicious PyPI Wheels](https://socket.dev/blog/mini-shai-hulud-miasma-and-hades-worms-target-bioinformatics-and-mcp-developers-via-malicious)". The Go security team acted quickly after we notified them, promptly reviewing the report and coordinating remediation. Socket [notified Verana maintainers on GitHub](https://github.com/verana-labs/verana/issues/350) to alert them to the compromise. The malicious npm releases were published in a tight window on June 24, 2026. The affected packages are part of the LeoPlatform and RStreams ecosystems, including SDK, CLI, AWS, cron, logging, connector, and serverless packages used in data pipeline and cloud integration workflows. The package set includes the following affected versions: `hexo-deployer-wrangler@1.0.4` `hexo-shoka-swiper@0.1.10` `leo-auth@4.0.6` `leo-aws@2.0.4` `leo-cache@1.0.2` `leo-cdk-lib@0.0.2` `leo-cli@3.0.3` `leo-config@1.1.1` `leo-connector-elasticsearch@2.0.6` `leo-connector-mongo@3.0.8` `leo-connector-mysql@3.0.3` `leo-connector-oracle@2.0.1` `leo-connector-redshift@3.0.6` `leo-cron@2.0.2` `leo-logger@1.0.8` `leo-sdk@6.0.19` `leo-streams@2.0.1` `prism-silq@1.0.1` `rstreams-metrics@2.0.2` `rstreams-shard-util@1.0.1` `serverless-convention@2.0.4` `serverless-leo@3.0.14` `solo-nav@1.0.1` This remains an ongoing investigation, and we will continue to update our findings as new information comes to light. We are tracking the full campaign on a dedicated page, with all affected artifacts added as they are identified: [https://socket.dev/supply-chain-attacks/miasma-mini-shai-hulud-supply-chain-attack](https://socket.dev/supply-chain-attacks/miasma-mini-shai-hulud-supply-chain-attack). `binding.gyp` The current LeoPlatform wave uses the “Phantom Gyp” execution pattern that has become a defining feature of newer Miasma activity. Instead of relying on a visible `preinstall` or `postinstall` script in `package.json` , the malicious packages add a `binding.gyp` file. npm automatically invokes `node-gyp` when this file is present. The malicious `binding.gyp` uses command expansion to execute JavaScript during the build configuration phase. A package with no obvious `preinstall` script can still execute arbitrary code during installation if `binding.gyp` is present and invokes a shell expansion. In the LeoPlatform packages, the trigger executes the package’s replaced `index.js` , which is no longer normal library code. It is a large one-line JavaScript loader. The loader follows the Miasma/Hades pattern. The first layer uses a Caesar-style letter shift and immediate `eval()` execution. The next layer decrypts embedded AES-GCM payloads. The final payload uses JavaScript-obfuscator-style string hiding, lookup tables, and runtime reconstruction of meaningful strings. The loader also adds or relies on Bun. If Bun is not present, the malware attempts to download or install it, then runs the main payload through `bun run` . This continues a broader shift in the campaign toward Bun-staged malware, likely because many Node.js-focused security hooks and runtime controls do not observe Bun execution with the same depth. The high-level execution chain is: `binding.gyp` `node-gyp` executes the embedded command expansion`index.js` decodes and evaluates the first-stage loaderThe payload is designed for environments where source code, cloud identity, package publishing, and AI coding tools overlap. The current activity shows collection logic for `.env` files, npm and PyPI tokens, GitHub tokens, Slack tokens, Twilio tokens, SSH keys, Docker authentication files, Kubernetes configs, AWS credentials, Azure credentials, GCP credentials, Vault data, shell history, CI secrets, and IDE or AI-agent configuration paths. The payload also performs security product checks for common EDR, endpoint, and fleet tooling, including CrowdStrike, SentinelOne, Microsoft Defender, Carbon Black, Cylance, osquery, Tanium, Qualys, and others. Like earlier Miasma activity, it includes a Russian locale guard. The credential target list is not random. It reflects a worm built to move through software supply chains. Package registry credentials allow malicious republishes. GitHub tokens allow repository poisoning. CI/CD secrets allow cloud and production access. AI-agent configuration files allow persistence on developer machines. This wave heavily targets GitHub Actions. The malware searches for workflows that publish packages, especially workflows using npm publishing, yarn publishing, GitHub OIDC, or package registry tokens. In CI environments, it attempts to collect secrets directly from the runner context and from runner memory. It also uses GitHub API behavior for staging and exfiltration, including repository creation and content upload paths. A recurring workflow template in this family is named `Run Copilot` . Its purpose is not to run Copilot. It is designed to blend in with AI-assisted development workflows while dumping GitHub Actions secrets into an uploaded artifact. Separately, the LeoPlatform compromise included repository-level poisoning. Public reporting describes orphan `snapshot-*` branches pushed to LeoPlatform repositories, with a fake dependency-update workflow and a large `_index.js` payload. The workflow was named to look like Dependabot activity and requested GitHub Actions permissions relevant to publishing. The important point for defenders is that this is not only an npm install problem. If the malware has a GitHub token with sufficient scope, it can alter repositories, add workflows, poison branches, and plant persistence hooks that fire later. `RevokeAndItGoesKaboom` connects the LeoPlatform wave to GitHub Actions compromisesOne of the strongest campaign-level markers is `RevokeAndItGoesKaboom` . This marker appears in the LeoPlatform/Miasma activity and in the codfish/semantic-release-action compromise documented by StepSecurity. In the codfish case, the malicious action searched GitHub commits for `RevokeAndItGoesKaboom` messages and used them as an operator token dead-drop channel. The same marker now appears in GitHub commit search results associated with repositories created during the “Alright Lets See If This Works” wave. This links the npm package compromise, GitHub dead-drop behavior, and GitHub Actions compromises into the same operational cluster or tooling lineage. The codfish/semantic-release-action compromise is important context for this wave. In that incident, attackers force-pushed malicious commits and repointed version tags so downstream workflows using mutable tags executed attacker-controlled code inside GitHub Actions runners. The malicious action switched execution toward Bun and ran obfuscated JavaScript from the action context. The same broader tradecraft appears again: Bun runtime staging, GitHub token theft, encrypted collection, GitHub API exfiltration, AI coding assistant persistence, and Russian locale checks. One additional investigative lead is the project’s workflow hardening after the compromise. A merged fix changed a validation workflow away from `pull_request_target` , while the prior workflow combined `pull_request_target` with checkout of the pull request head SHA. That pattern is a known “pwn request” risk because it can execute untrusted pull request code in a privileged base-repository context. Compromise of this action has a potential to cause additional cascading infections of the dependent GitHub repositories. Official GitHub numbers state that 1,442 repositories depend on this action, which should be a reason to monitor this campaign in the upcoming days. Miasma’s AI-agent targeting remains one of its clearest differentiators. The malware plants hooks for developer tools and coding agents, including Claude, VS Code, Cursor, Gemini, Copilot-related configuration paths, and other agent or IDE ecosystems. These hooks are designed to execute the payload when a developer opens a repository, starts an agent session, or triggers a folder-open task. This turns a poisoned repository into a delayed execution surface. A developer may clone or pull a repository after the original npm compromise has been remediated, open it in an IDE or AI coding tool, and trigger the malware locally. This is why cleanup cannot stop at removing malicious package versions. Teams also need to audit repositories for injected configuration files, suspicious folder-open tasks, Claude or Gemini session hooks, Cursor rules, and `.github/setup.js` or `_index.js` payloads. Socket also identified the same payload family in a Go module/source archive for [ github.com/verana-labs/verana-blockchain@v0.10.1-dev.20](http://github.com/verana-labs/verana-blockchain@v0.10.1-dev.20https://socket.dev/go/package/github.com/verana-labs/verana-blockchain?version=v0.10.1-dev.20), associated with the Verana Blockchain project. Verana is a Cosmos SDK-based Layer 1 implementation of a Verifiable Public Registry for decentralized trust ecosystems. This finding expands the campaign beyond npm package installation. The archive contains a large obfuscated payload at [ .claude/index.js](https://socket.dev/go/package/github.com/verana-labs/verana-blockchain?section=files&version=v0.10.1-dev.20&path=.claude%2Findex.js), Bun launcher scripts at `.claude/setup.mjs` and `.vscode/setup.mjs` , and a VS Code folder-open task that executes `node .claude/setup.mjs` . The launcher downloads or resolves Bun, then runs the obfuscated payload.The payload follows the same Miasma execution pattern observed in malicious npm packages: ROT-style decoding, immediate `eval()` , AES-GCM-decrypted embedded stages, Bun-staged execution, broad developer and CI/CD secret collection, GitHub Actions and OIDC abuse, encrypted exfiltration, AI/IDE hook persistence, and EDR/security tooling checks. Unlike the npm packages, this sample does not rely on `binding.gyp` . The risk is source-repository execution: a developer who clones or opens the repository in a trusted IDE or AI coding assistant environment may trigger the payload through project configuration. This reinforces the larger campaign theme: Miasma is moving across package ecosystems by targeting developer workflows, not just package-manager install hooks. Teams that installed any affected package version should treat the installing environment as compromised until reviewed. Recommended response: `.github/setup.js` , `_index.js` , orphan branches, suspicious Dependabot-like commits, and unexplained Bun usage.`pull_request_target` , especially workflows that check out pull request head code or run build/test commands on untrusted pull request content.`binding.gyp` : `32d1bc728d8e504952083a6adc488c309a401c7df4dc8f47b382ce32e4aebe21` `leo-logger@1.0.8` — `index.js` : `57ba86f6f0caaa580c1dccdf4ed7873d1470e5ea2f8e9ca7a989dc04899f13c0` `leo-logger@1.0.8` — `package.json` : `4a0aa78757958683155a7b9289427fb829abcad1bf5ee6399eb73e8409b0bc11` `leo-sdk@6.0.19` — `index.js` : `026588d39b7c650b5c0dfbba6c6fcc0e7ec8e3b72ba8639012e7f71c708f2c3b` `leo-auth@4.0.6` — `index.js` : `df9ea0c71574e11c93141ad2f018a63a5375cd6d69ca2f744732ad7814170657` `leo-aws@2.0.4` — `index.js` : `1a3b9ed0b377f56f49b9a703612cf45e86ab7d100587e1e7a476d809fe337a8c` `leo-sdk@6.0.19` — npm tarball: `f565988f281bf77bcad26ea7f543617e53da4b62f5df63d4f7a89bae1729cf81` `leo-auth@4.0.6` — npm tarball: `a934a5bcf692b9d01e8129bf264be23809dfee464df471d75a9f3fa1bcede343` `leo-aws@2.0.4` — npm tarball: `f7c47be306351ffacd46584d2067f7be676dbfe17cd89ab4880632decfe18f3d` `leo-cli@3.0.3` — npm tarball: `3da2ca129c9920d9acd2e3477aee8f46b5a5f0e9537ad6e7b6ab1df1007adad1` `binding.gyp` added to packages that previously did not require native build behavior`index.js` replaced with a very large single-line obfuscated payload`bun` dependency in `package.json` `_index.js` payloads in GitHub repositories`.github/setup.js` payloads in poisoned repositories`.claude/settings.json` `.claude/setup.mjs` `.gemini/settings.json` `.cursor/rules/setup.mdc` `.vscode/tasks.json` with folder-open execution behavior`node-gyp rebuild` activity in packages that should be pure JavaScript`Alright Lets See If This Works` `RevokeAndItGoesKaboom` `TheBeautifulSandsOfTime` `thebeautifulmarchoftime` `thebeautifulsnadsoftime` `verana-blockchain-v0.10.1-dev.20.zip` : `b3e217f4354e8a4383038b99b0bcaeaff191a79df58e7a1f2355a79aac2faf13` `.claude/index.js` : `15b415ae41df72acf1f7e9e67569531d41dee62d089d34b4c0fab0c7fe5cc14f` `.claude/setup.mjs` : `6cb3fc3650355973b8a1ed86619a3f412fb0700f29c1c3a736cada4c2c76a9f7` `.vscode/setup.mjs` : `6cb3fc3650355973b8a1ed86619a3f412fb0700f29c1c3a736cada4c2c76a9f7` `.claude/settings.json` : `6a861a479f45fe53f067091414332248bc027ffc396116811d12e57a6ff71250` `.vscode/tasks.json` : `927387d0cfac1118df4b383decc2ea6ba49c9d2f98b47098bcbcba1efc026e1f` `1a0e1daeaea87cab5610a3cc2aa72e7c6f1abfe55959a156368bcfa6585fa6ce` `ceff7c51d70832c3ec8dd2744b606a23b3c924ef664ae23439b9b742ea154108` `9f93d77d32833a515bc406c46da477142bb1ac2babeecb6aa42f98669a6db015` Subscribe to our newsletter Get notified when we publish new security blog posts! Security News The Fable shutdown shows how quickly model access can become a business continuity risk for AI-dependent engineering teams. Security News AI agents are pulling packages into environments no scanner is watching, creating exposure before security teams can see it. Security News GitHub Actions checkout now blocks risky pull_request_target checkouts by default to help prevent pwn request supply chain attacks.