{"id":282399,"date":"2026-06-26T07:05:00","date_gmt":"2026-06-26T11:05:00","guid":{"rendered":"https:\/\/news-you-need.com\/index.php\/2026\/06\/26\/miasma-malware-targets-npm-packages-and-github-actions-in-supply-chain-attack\/"},"modified":"2026-06-26T08:50:37","modified_gmt":"2026-06-26T12:50:37","slug":"miasma-malware-targets-npm-packages-and-github-actions-in-supply-chain-attack","status":"publish","type":"post","link":"https:\/\/news-you-need.com\/index.php\/2026\/06\/26\/miasma-malware-targets-npm-packages-and-github-actions-in-supply-chain-attack\/","title":{"rendered":"Miasma Malware Targets npm Packages and GitHub Actions in Supply Chain Attack"},"content":{"rendered":"<p><a href=\"https:\/\/thehackernews.com\/2026\/06\/miasma-malware-targets-npm-packages-and.html\">Miasma Malware Targets npm Packages and GitHub Actions in Supply Chain Attack<\/a><\/p>\n<p><a href=\"https:\/\/thehackernews.com\/2026\/06\/miasma-malware-targets-npm-packages-and.html\">https:\/\/thehackernews.com\/2026\/06\/miasma-malware-targets-npm-packages-and.html<\/a><\/p>\n<p>Publish Date: <a href=\"publish_date]\">2026-06-26 07:05:00<\/a><\/p>\n<p>Source Domain: <a href=\"thehackernews.com\">thehackernews.com<\/a><\/p>\n<p>Cybersecurity researchers have flagged yet another evolution of the supply chain attack linked to the Mini Shai-Hulud, Miasma, and Hades malware family that has compromised a new set of npm packages, even as it has propagated to the Go ecosystem.<\/p>\n<p>&#8220;The latest activity includes malicious npm releases affecting LeoPlatform and RStreams packages, GitHub Actions workflow abuse, and a related Go module compromise involving the Verana Blockchain project,&#8221; Socket said.<\/p>\n<p>The end goal of the campaign, as before, is to harvest developer or maintainer credentials and weaponize the stolen data to spread across package registries, repositories, and trusted developer workflows.<\/p>\n<p>The list of affected packages is below &#8211;<\/p>\n<ul>\n<li>hexo-deployer-wrangler@1.0.4<\/li>\n<li>hexo-shoka-swiper@0.1.10<\/li>\n<li>leo-auth@4.0.6<\/li>\n<li>leo-aws@2.0.4<\/li>\n<li>leo-cache@1.0.2<\/li>\n<li>leo-cdk-lib@0.0.2<\/li>\n<li>leo-cli@3.0.3<\/li>\n<li>leo-config@1.1.1<\/li>\n<li>leo-connector-elasticsearch@2.0.6<\/li>\n<li>leo-connector-mongo@3.0.8<\/li>\n<li>leo-connector-mysql@3.0.3<\/li>\n<li>leo-connector-oracle@2.0.1<\/li>\n<li>leo-connector-redshift@3.0.6<\/li>\n<li>leo-cron@2.0.2<\/li>\n<li>leo-logger@1.0.8<\/li>\n<li>leo-sdk@6.0.19<\/li>\n<li>leo-streams@2.0.1<\/li>\n<li>prism-silq@1.0.1<\/li>\n<li>rstreams-metrics@2.0.2<\/li>\n<li>rstreams-shard-util@1.0.1<\/li>\n<li>serverless-convention@2.0.4<\/li>\n<li>serverless-leo@3.0.14<\/li>\n<li>solo-nav@1.0.1<\/li>\n<li>github.com\/verana-labs\/verana-blockchain@v0.10.1-dev.20 (Go)<\/li>\n<\/ul>\n<p>It&#8217;s suspected that an npm developer account associated with the LeoPlatform (&#8220;czirker&#8221;) was breached, likely via leaked credentials, to enable the attack, allowing the threat actors to leverage an npm token belonging to the maintainer to push trojanized versions within a six-second window.<\/p>\n<p>The new wave leverages many of the tactics observed in prior campaigns, including npm registry poisoning, binding.gyp install-time execution, Bun-staged JavaScript malware, GitHub dead-drop infrastructure, GitHub Actions secret theft, IDE and AI coding assistant persistence, and encrypted credential exfiltration.<\/p>\n<p><img decoding=\"async\" alt=\"\" border=\"0\" data-original-height=\"602\" data-original-width=\"1462\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEiNRDAAjjSxDlvfsoFDhsD1KWp8OjZNAzHwPhuQEp0ns-_YWkv60lhlUq9Sc4qc7tzkO05ZCjem9J9PPo5rCvpdv-L8tmkJjOKzk1Zo8n4hhHaZO8ntOHwqG2euKrZiLmMlE9hsylXm3V_eWvYubBXOXsgnJTMmObJ39xzVJGdgfOn-PMFccDDdcir7u48r\/s1600\/flow.png\"\/><\/p>\n<p>The malicious npm packages, while lacking a lifecycle hook typically&#8230;<\/p>\n<p><a href=\"https:\/\/thehackernews.com\/2026\/06\/miasma-malware-targets-npm-packages-and.html\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Miasma Malware Targets npm Packages and GitHub Actions in Supply Chain Attack https:\/\/thehackernews.com\/2026\/06\/miasma-malware-targets-npm-packages-and.html Publish Date:&#8230;<\/p>\n","protected":false},"author":1,"featured_media":282402,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhatZ2Vkvxd086INLXiuhbRJrli5Ao9hoNajbVq-Xr0HVAS70cCzhRBfM78KEusnBPI1sXyAK5tYrKt55U5mTIXCQDAmBzY2e860qtXo4YAlvAnVWHDV3DddKUML1q1g71h97Ke1i-714gv5SaVW9lmaFNtRda5XP1kc20urtc-HzlX5JXwkQv0g_-1VwC3\/s1600\/Miasma.jpg","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[26,24,32],"class_list":["post-282399","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-ai","tag-cybersecurity","tag-malware"],"_links":{"self":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/282399"}],"collection":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=282399"}],"version-history":[{"count":1,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/282399\/revisions"}],"predecessor-version":[{"id":282404,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/282399\/revisions\/282404"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/282402"}],"wp:attachment":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=282399"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=282399"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=282399"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}