Miasma Mini Shai-Hulud Hits LeoPlatform npm Packages and GitHub Actions, Expands to the Go Ecosystem
Blog post from Socket
A recent wave of supply chain attacks has targeted npm packages, GitHub Actions, and a Go module, affecting ecosystems like LeoPlatform and RStreams with malware from the Mini Shai-Hulud, Miasma, and Hades family. The attack involves npm registry poisoning, malicious GitHub workflows, and AI coding assistant persistence, aiming to steal credentials and propagate through developer environments. The attack features sophisticated techniques such as using binding.gyp for install-time execution, Bun-staged JavaScript malware, and secret theft via GitHub Actions. Notably, the attack also extends to the Verana Blockchain project, indicating a broader campaign beyond npm installations. The malware employs a complex multi-layered payload execution pattern using ROT and AES-GCM for obfuscation and targets various developer credentials and CI/CD secrets, exploiting IDE and AI-agent hooks for persistence. The campaign is marked by GitHub dead-drop infrastructure and has ties to previous compromises, emphasizing the need for rigorous security audits and secret rotations for affected environments.
| Trend | Post Mentions | Total Month Mentions | Posts | Companies | MoM |
|---|---|---|---|---|---|
| AI Coding Assistant | 13 | 1,586 | 431 | 148 | -12% |
| Secrets Management | 9 | 2,063 | 322 | 117 | -4% |
| Serverless | 3 | 1,011 | 235 | 82 | -44% |
| Kubernetes | 2 | 1,993 | 294 | 100 | +1% |
| Data Pipeline | 1 | 441 | 203 | 86 | -29% |
| MCP | 1 | 6,026 | 689 | 188 | -15% |