Home / Companies / Socket / Blog / Post Details
Content Deep Dive

Miasma Mini Shai-Hulud Hits LeoPlatform npm Packages and GitHub Actions, Expands to the Go Ecosystem

Blog post from Socket

Post Details
Company
Date Published
Author
Socket Research Team
Word Count
2,226
Company Posts That Month
27
Language
English
Hacker News Points
-
Summary

A recent wave of supply chain attacks has targeted npm packages, GitHub Actions, and a Go module, affecting ecosystems like LeoPlatform and RStreams with malware from the Mini Shai-Hulud, Miasma, and Hades family. The attack involves npm registry poisoning, malicious GitHub workflows, and AI coding assistant persistence, aiming to steal credentials and propagate through developer environments. The attack features sophisticated techniques such as using binding.gyp for install-time execution, Bun-staged JavaScript malware, and secret theft via GitHub Actions. Notably, the attack also extends to the Verana Blockchain project, indicating a broader campaign beyond npm installations. The malware employs a complex multi-layered payload execution pattern using ROT and AES-GCM for obfuscation and targets various developer credentials and CI/CD secrets, exploiting IDE and AI-agent hooks for persistence. The campaign is marked by GitHub dead-drop infrastructure and has ties to previous compromises, emphasizing the need for rigorous security audits and secret rotations for affected environments.

Trends Found in this Post
Trend Post Mentions Total Month Mentions Posts Companies MoM
AI Coding Assistant 13 1,586 431 148 -12%
Secrets Management 9 2,063 322 117 -4%
Serverless 3 1,011 235 82 -44%
Kubernetes 2 1,993 294 100 +1%
Data Pipeline 1 441 203 86 -29%
MCP 1 6,026 689 188 -15%