Miasma Mini Shai-Hulud Hits ImmobiliareLabs npm Packages
The Miasma Mini Shai-Hulud supply chain campaign has expanded to compromise 22 npm package versions under the @immobiliarelabs scope, targeting Backstage plugins for GitLab integration and LDAP authentication. The malicious packages use a binding.gyp 'Phantom Gyp' trick to execute hidden root-level index.js payloads without preinstall/postinstall hooks, followed by AES-128-GCM decryption and multi-stage delivery under the Bun runtime. The final payload exfiltrates developer and CI/CD secrets via the GitHub API to attacker-controlled repositories, and the campaign likely propagated through a compromised codfish/semantic-release-action GitHub Action that enabled access to release automation credentials.
- sha2560574f0bee78294a5f3495144ea6e05848c5fe8dcda11414e35c65aea46ce953bMalicious index.js hash in @immobiliarelabs/[email protected]
- sha2560ccd7c44a6352f295f65ffea21c2472566f9e73c4dd1028fe0b9971314b18de6Malicious index.js hash in @immobiliarelabs/[email protected]
- sha25614253cd5b8acccbbacb5cd3bb0a099fb6b0aafe4d06d032e4070b3fb814677ddMalicious index.js hash in @immobiliarelabs/[email protected]
- sha2561623787aa0de7310a4585101212b41ae02d02801ebda5812395932392400c756Malicious index.js hash in @immobiliarelabs/[email protected]
- sha2561e7b04a9a4a25eb7928821a5519b0a40f7afe0f6042a6860c918b62d369096edMalicious index.js hash in @immobiliarelabs/[email protected]
- sha25624c578c2573bf7a04f69c4762a36a87fd32746e9db4df16b2ad92f31fbdd0d50Tarball hash of @immobiliarelabs/[email protected]
- sha2562f6cbe3a79148bc247131c36cd12689c97166a9d141dd9d9466270b4c04c3e3eTarball hash of @immobiliarelabs/[email protected]
- sha2562ffed3b58bc267c438c759cd03b3e890904f25bacd015608f888c302741cad29Malicious index.js hash in @immobiliarelabs/[email protected]
- sha256333f2e3753063447819a3c86cfc475fe4bd3f0a76c05262a61c3d18b50438bb5Tarball hash of @immobiliarelabs/[email protected]
- sha2563667e7080c083563f6d05118d8b08f535b391fe2a5c0f98d5bd31f96257620f7Tarball hash of @immobiliarelabs/[email protected]
- sha2563809fd3a3a912abccaa7aa201880a2cfd194ae7f9dbdc747872cd045bcb3def5Tarball hash of @immobiliarelabs/[email protected]
- sha2563b24b47a66b17d39fbdb7deccc329342b18cec6feb967adbaf80e81a70ecc609Malicious index.js hash in @immobiliarelabs/[email protected]
- sha256441d834d8a97b3d76bd7a9ac73174a18c1add1bf80b21319c0cb2d5737782e83Tarball hash of @immobiliarelabs/[email protected]
- sha25654086c0f23710ff45cb6bde498083d0a0098112aab9b0ef48e6e869a280f1b42Tarball hash of @immobiliarelabs/[email protected]
- sha25660099babe48a48831262b40d4c5c1dd623726060da10c1e2f74f191c9c4cd81dMalicious index.js hash in @immobiliarelabs/[email protected]
- sha25663667208bcd2d307b307e6df43bf8960ccb7058333d00ba064ed53f180ec32eaMalicious index.js hash in @immobiliarelabs/[email protected]
- sha256720571b83600cd61080a7779e7f44327e4df4974d4a01475439d2e59e11ab29fTarball hash of @immobiliarelabs/[email protected]
- sha2567a879ed69a8191df5c68535f6ac41b830577b698de943c66ff40e51482d90d79Tarball hash of @immobiliarelabs/[email protected]
- sha2567bc28ba4d33d010785a5289211ad6a0d968ec0abd56201d90d74921ad83d925dTarball hash of @immobiliarelabs/[email protected]
- sha2567cd21d65d5a085d82d07275df9a66c6dfac4e13e43ea9ef44e84a3dd14ea1b3fMalicious index.js hash in @immobiliarelabs/[email protected]
- sha2568284d9bd16c9141d331d3b724f9d57ae2cae265bf326055e18d5cde4bb5985b7Tarball hash of @immobiliarelabs/[email protected]
- sha256869ffe5400477ce69bbfd5f51ddd0c40eacad9a83005956fb14787a5e1e98330Tarball hash of @immobiliarelabs/[email protected]
- sha2568746d49834ad938eebeaffd380b6302c94ab0b3258268c1a8c7e57ee7d5c11e1SHA-256 hash of malicious root-level index.js in @immobiliarelabs/[email protected]; Caesar-shift loader with AES-128-GCM decryption for multi-stage payload delivery
- sha25689c218ca407c2d92359b53a9e3b7b973a761dcf323d2fa1cc2dc12c13f27afafTarball hash of @immobiliarelabs/[email protected]
- sha2568a71e7d9b6b1b6d3e7bee490e98b34595ceea207160fc7ed35e47f82160febbeMalicious index.js hash in @immobiliarelabs/[email protected]
- sha2568df5d46d91589e6a3ec8d87d6eea6c71fac103f9e10dff9b88c309c1e9129b07Malicious index.js hash in @immobiliarelabs/[email protected]
- sha2568e83e3ece1a2a764a7c6fd78dd39cfb32cb38d22b7b3d92709cb5b87fa916403Malicious index.js hash in @immobiliarelabs/[email protected]
- sha25699eb789284fa62e3f956e81294247ae82f596ebf481c069ae45019ac4e879927Malicious index.js hash in @immobiliarelabs/[email protected]
- sha2569d8ea3cefb942081a1409e842ddc541ccd65fb3e66a4f8dfe562ca8548dd09d9Malicious index.js hash in @immobiliarelabs/[email protected]
- sha2569df6bda43678708605dfaad35f02be8027e85e6aa38193704cf192f842f0d186Tarball hash of @immobiliarelabs/[email protected]
- sha256a09909e8981e17712ef38b363f94553e2f86b6c2abd6c87eada94d3d3aab937eSHA-256 hash of @immobiliarelabs/[email protected] tarball; malicious npm package artifact
- sha256a16810f972f577f129f95f147e64aa4c70977035285d357a53958496c0531223Tarball hash of @immobiliarelabs/[email protected]
- sha256b38a73c365e5761fe0e7f25a391db3a264b1f2b4878a1c8cc127ba83d64e614cTarball hash of @immobiliarelabs/[email protected]
- sha256b4f90f5515df39cf346bf436e284f2dae28c9341c035765d83d82a76c86922b7Tarball hash of @immobiliarelabs/[email protected]
- sha256b82f5f6f1d969ba8f32937a3d81306c631defa943b7cc7529e45a0003340ece5Malicious index.js hash in @immobiliarelabs/[email protected]
- sha256ca89ece660251554b66f1e5e9874410d206e0f080da3039e1221f1c71d817395Malicious index.js hash in @immobiliarelabs/[email protected]
- sha256cc00c23768bee76e2f297c1766a013a681efb519888545352cff96fc5cead035Tarball hash of @immobiliarelabs/[email protected]
- sha256cf46348e7a4beacc0b9600c9ece3bee140f344641e90d99c741bc54507423443Malicious index.js hash in @immobiliarelabs/[email protected]
- sha256cf5d79494d8b1fdcb5480507eee8beeb2fcd69bcd9afcdc7dc1bcdda7461913eMalicious index.js hash in @immobiliarelabs/[email protected]
- sha256d1db13a14db489531e11ccf700d7fd8701f61ad297ce02477e11acf194d3fed0Tarball hash of @immobiliarelabs/[email protected]
- sha256d2aa3f9057c6f3295766aabed0a71a369353d6eb665049a45fd407fd55020fdbMalicious index.js hash in @immobiliarelabs/[email protected]
- sha256dfcdec5f43cc8d127084a2ac4d66499f13bae7f49167e3291a6f1a70738772d1Tarball hash of @immobiliarelabs/[email protected]
- sha256ef01e18ccf618a8992ad0aa4eb7d804bbacf9f092d43d39237f283a9a289c9b9Tarball hash of @immobiliarelabs/[email protected]
- sha256ef641e956f91d501b748085996303c96a64d67f63bfeef0dda175e5aa19cca90SHA-256 hash of binding.gyp file, byte-identical across all 22 compromised packages; triggers 'Phantom Gyp' node-gyp execution of malicious index.js without preinstall/postinstall hooks
- sha256ef89e81be6b9d81b9d4bc41dae5f10a7a68f33b17fd76affcf7dca2f5d50a843Malicious index.js hash in @immobiliarelabs/[email protected]
- urlhxxps://github[.]com/services-admin-pearhealthlabs/acheronian-styx-62602Attacker-controlled GitHub exfiltration repository with randomized name, part of automated repository creation for Miasma dead-drop staging
- urlhxxps://github[.]com/services-admin-pearhealthlabs/nekyian-eidolon-75602Attacker-controlled GitHub exfiltration repository with randomized name, created during ImmobiliareLabs compromise window
- urlhxxps://github[.]com/services-admin-pearhealthlabs/sepulchral-wraith-8602Attacker-controlled GitHub repository used for exfiltration staging during the ImmobiliareLabs compromise; part of hundreds of repos with randomized names created by services-admin-pearhealthlabs account
- urlhxxps://github[.]com/services-admin-pearhealthlabs/tenebrous-cerberus-60779Attacker-controlled GitHub repository used for exfiltration staging; created with randomized naming pattern consistent with automated Miasma dead-drop infrastructure
- urlhxxps://socket[.]dev/supply-chain-attacks/miasma-mini-shai-hulud-supply-chain-attackSocket's dedicated campaign tracker page with all affected artifacts being tracked across the Miasma Mini Shai-Hulud campaign
Detection / Hunteropenrouter
What Happened
Attackers compromised legitimate open-source software packages used by developers building internal tools, specifically plugins for a popular developer portal called Backstage. The compromised packages were published under the ImmobiliareLabs organization and affect tools that integrate with GitLab and LDAP authentication systems. When developers installed these packages, hidden malicious code executed automatically and stole sensitive credentials like API keys, cloud service tokens, and SSH keys from their machines and build systems. The stolen credentials were then sent to attacker-controlled GitHub repositories. The attackers likely gained access by first compromising a separate GitHub automation tool called semantic-release-action, which gave them the ability to publish malicious package versions. Organizations that installed any of the affected package versions should treat their systems as compromised, remove the packages, and rotate all credentials that may have been exposed.
Key Takeaways
- Malicious npm packages published under the @immobiliarelabs scope on June 26, 2026, affecting 22 versions across 4 Backstage plugin families (GitLab, GitLab-backend, LDAP-auth, LDAP-auth-backend).
- Attack uses a 'Phantom Gyp' binding.gyp trick to trigger node index.js execution without preinstall/postinstall hooks, evading shallow package review.
- Multi-stage payload steals developer and CI/CD secrets including .env files, npm/GitHub/Slack/AWS/Azure/GCP/Vault tokens, SSH keys, Docker credentials, and Kubernetes configs.
- Possible upstream compromise vector via codfish/semantic-release-action GitHub Action, which was compromised on June 24, 2026, potentially enabling attacker access to release automation and npm publishing credentials.
- Campaign abuses GitHub Actions deployment triggers and exfiltrates stolen data via GitHub API to attacker-controlled repositories under the services-admin-pearhealthlabs organization.
Affected Systems
- npm/Node.js environments installing @immobiliarelabs Backstage plugins
- Backstage developer portals with GitLab or LDAP authentication integrations
- GitHub Actions CI/CD runners using semantic-release automation
- Developer workstations and build containers with npm installed
Attack Chain
The attack likely begins with compromise of the codfish/semantic-release-action GitHub Action on June 24, 2026, where attackers force-pushed malicious commits and repointed mutable version tags, enabling execution of attacker-controlled code in downstream CI/CD runners that used the action by tag reference. This provided a plausible path to compromise the simonecorsi account and release automation for ImmobiliareLabs repositories, allowing the attacker to publish 22 malicious npm package versions on June 26, 2026. When installed, the packages use a binding.gyp 'Phantom Gyp' trick to execute a root-level index.js loader via node-gyp without preinstall/postinstall hooks, which performs Caesar-shift decoding and AES-128-GCM decryption to deliver a second-stage script. The third stage downloads and executes under Bun v1.3.13, stealing developer and CI/CD secrets (.env files, npm/GitHub/Slack/AWS/Azure/GCP/Vault tokens, SSH keys, Docker credentials, Kubernetes configs), injecting malicious GitHub Actions workflows for propagation, planting persistence hooks in AI coding assistant plugins and IDE extensions, and exfiltrating stolen data via the GitHub API to attacker-controlled repositories under the services-admin-pearhealthlabs organization.
Detection Availability
- YARA Rules: No
- Sigma Rules: No
- Snort/Suricata Rules: No
- KQL Queries: No
- Splunk SPL Queries: No
- EQL Queries: No
- Other Detection Logic: No
The article does not provide specific detection rules or queries. It provides SHA-256 file hashes, npm package names with versions, campaign marker strings, and behavioral indicators that could be used to build custom detections.
Detection Engineering Assessment
EDR Visibility: Medium — EDR can detect node-gyp spawning node processes, unexpected Bun runtime downloads and execution, and credential file access patterns. However, npm install activity may occur in build containers or CI runners without EDR coverage, and the malicious execution path is designed to look like normal Node.js build activity. Network Visibility: Medium — Network monitoring can detect Bun runtime downloads, GitHub API exfiltration traffic to attacker-controlled repositories, and unexpected outbound connections from build environments. However, exfiltration via GitHub API may blend with legitimate CI/CD GitHub traffic. Detection Difficulty: Hard — The attack is designed to evade shallow package review by hiding execution outside declared entrypoints, using binding.gyp instead of preinstall/postinstall hooks, and exfiltrating via legitimate GitHub API traffic. Detection requires deep visibility into npm package contents, build-time process behavior, and GitHub Actions workflow execution patterns. The deployment-triggered workflow abuse path is particularly difficult to detect without specific GitHub audit log monitoring.
Required Log Sources
- npm install logs and package-lock.json changes
- Process execution logs (Sysmon Event ID 1 / EDR process telemetry)
- File creation logs for binding.gyp, index.js, _index.js in npm cache directories
- GitHub Actions workflow run logs and audit logs
- GitHub deployment event logs
- DNS resolution logs for Bun download domains
- GitHub API access logs for exfiltration detection
Hunting Hypotheses
| Hypothesis | Telemetry | ATT&CK Stage | FP Risk |
|---|---|---|---|
| Consider hunting for npm packages containing binding.gyp files in packages that should not require native builds, as this is a key indicator of the Phantom Gyp execution trick used by the Miasma campaign. | npm package tarball contents, file system monitoring in node_modules directories, package installation logs | Initial Access / Execution | Medium — legitimate packages with native addons will contain binding.gyp files; focus on packages that historically did not have native builds or where binding.gyp appears suddenly in new versions. |
| Consider hunting for root-level index.js files in npm packages that also have a dist/index.cjs.js entrypoint, as the malicious loader is added at the package root separate from the legitimate compiled output. | npm package tarball analysis, file system monitoring in node_modules directories | Execution | Low to Medium — most well-structured packages do not have both a root-level index.js and a dist entrypoint; verify against known-good package structure. |
| Consider hunting for unexpected Bun runtime download or execution activity in CI/CD environments and developer workstations, particularly during or immediately after npm install operations. | Process execution logs, network proxy logs, DNS resolution logs, EDR telemetry | Defense Evasion / Payload Delivery | Low — Bun is not a standard runtime in most Node.js build environments; any Bun download during npm install should be treated as suspicious unless explicitly expected. |
| Consider hunting for GitHub Actions workflows triggered by the 'deployment' event, especially those with names resembling routine automation (e.g., 'Dependabot Updates') but configured with release.yml and deployment triggers, as this is a known abuse primitive for the Miasma campaign. | GitHub Actions workflow run logs, GitHub audit logs, repository webhook events | Persistence / Lateral Movement | Medium — some legitimate deployment workflows use the deployment trigger; focus on workflows with unexpected names, recent trigger changes, or those with access to publishing credentials. |
| Consider hunting for the campaign marker strings 'thebeautifulsnadsoftime', 'RevokeAndItGoesKaboom', and 'Alright Lets See If This Works' in file contents, process memory, and network traffic across developer environments and CI/CD systems. | File content scanning, EDR memory scanning, network DLP, SIEM full-text search | Discovery / Hunting | Very Low — these are distinctive strings with unusual spellings that are unlikely to appear in legitimate code or configurations. |
Control Gaps
- Traditional AV and endpoint security tools may not inspect npm package contents or detect binding.gyp-triggered execution as malicious
- GitHub Actions deployment-triggered workflow execution may bypass review controls designed for push/PR-triggered workflow changes
- Mutable GitHub Action version tags allow supply chain compromise via tag repointing without downstream users detecting the change
- CI/CD environments with broad token permissions (npm publishing, GitHub tokens, cloud OIDC) provide excessive access to compromised workflows
- Network-based exfiltration detection may miss data sent via legitimate GitHub API endpoints, blending with normal CI/CD traffic
Key Behavioral Indicators
- node-gyp process spawning node.exe to execute index.js during npm install — unusual for packages that do not require native builds
- Presence of binding.gyp file in npm packages for Backstage plugins or other pure-JavaScript packages
- Root-level index.js file in npm packages that also declare a dist/ entrypoint in package.json
- Unexpected Bun runtime download or execution following npm install operations
- GitHub Actions workflows with 'on: deployment' trigger, especially those named like routine automation (e.g., 'Dependabot Updates')
- Sudden creation of multiple GitHub repositories with randomized names under a single organization
- Process ancestry showing node-gyp → node → bun execution chain in build environments
- File access patterns indicating bulk credential reading (.env, .ssh/, .aws/, .kube/, .docker/) during or after npm install
False Positive Assessment
- Low — the campaign markers (thebeautifulsnadsoftime, RevokeAndItGoesKaboom) have very distinctive spellings unlikely to appear in legitimate code. The binding.gyp file in pure-JavaScript packages is a strong indicator. However, hunting for Bun execution or GitHub deployment triggers may produce medium false positives in environments that legitimately use these tools.
Recommendations
Immediate Mitigation
- Verify against your organization's incident response runbook and team escalation paths before acting. Identify all developer machines, CI runners, build containers, and Backstage environments that installed or built any affected @immobiliarelabs package versions between June 26, 2026 and present.
- Consider removing affected package versions and restoring from known-good versions with verified lockfiles, ensuring the clean versions do not contain root-level index.js or binding.gyp files.
- If any affected versions were installed, consider rotating all credentials exposed to the installing environment: npm, GitHub, GitLab, cloud (AWS/Azure/GCP), Kubernetes, Docker, Vault, SSH, Slack, Twilio, and CI/CD secrets — from a clean machine, not the potentially infected host.
- Consider reviewing GitHub Actions runs around June 26, 2026, especially deployment-triggered workflows, unexpected release workflows, and workflows named like routine automation in repositories using @immobiliarelabs packages or codfish/semantic-release-action.
Infrastructure Hardening
- Consider pinning all GitHub Actions to immutable full-length commit SHAs rather than mutable version tags, especially for actions handling release automation or publishing credentials.
- Evaluate whether the GitHub Actions 'deployment' trigger can be restricted or disabled in your repositories; if required, ensure it is tightly scoped with environment rules, branch restrictions, and actor/event allow lists.
- Consider auditing npm publishing workflows for broad tokens, mutable secrets, and excessive GitHub Actions permissions; restrict to protected branches and minimize OIDC, contents, actions, and package permissions.
- If supported by your tooling, consider implementing automated npm package content scanning that inspects for unexpected files (binding.gyp, root-level index.js) and compares against known-good package structure.
- Consider revoking or rotating long-lived maintainer tokens used by release automation, including GitHub personal access tokens and npm publishing credentials.
User Protection
- Consider deploying endpoint monitoring on developer workstations that alerts on unexpected Bun runtime downloads or execution following npm install operations.
- If applicable, evaluate whether developer machines should have restricted access to sensitive credential stores (.env files, .ssh/, .aws/, .kube/) during build and package installation activities.
- Consider implementing package allowlisting or proxying for npm installs in developer environments to block known-malicious package versions.
Security Awareness
- Consider incorporating supply chain attack awareness into existing developer training programs, emphasizing that npm packages may contain hidden execution paths outside declared entrypoints.
- If your organization uses Backstage or similar developer portals, consider educating developers about the elevated risk of credential exposure in these environments due to their access to source-control tokens and authentication configuration.
- Consider rolling guidance into existing awareness programs about the risks of using mutable version tags for GitHub Actions and the importance of pinning to commit SHAs.
MITRE ATT&CK Mapping
- T1195.002 - Compromise Software Supply Chain
- T1195.001 - Compromise Software Dependencies and Development Tools
- T1059.007 - Command and Scripting Interpreter: JavaScript
- T1552.001 - Unsecured Credentials: Credentials In Files
- T1552.004 - Unsecured Credentials: Private Keys
- T1552.007 - Unsecured Credentials: Container and Cloud Instance Metadata API
- T1552.008 - Unsecured Credentials: Chat Application Messages
- T1078.004 - Valid Accounts: Cloud Accounts
- T1546 - Event Triggered Execution
- T1567.001 - Exfiltration to Code Repository
- T1136.002 - Create Account: Email Account
- T1078 - Valid Accounts
Additional IOCs
- Urls:
hxxps://github[.]com/services-admin-pearhealthlabs/nekyian-eidolon-75602- Attacker-controlled GitHub exfiltration repository with randomized name, created during ImmobiliareLabs compromise windowhxxps://github[.]com/services-admin-pearhealthlabs/acheronian-styx-62602- Attacker-controlled GitHub exfiltration repository with randomized name, part of automated repository creation for Miasma dead-drop staginghxxps://socket[.]dev/supply-chain-attacks/miasma-mini-shai-hulud-supply-chain-attack- Socket's dedicated campaign tracker page with all affected artifacts being tracked across the Miasma Mini Shai-Hulud campaign
- File Hashes:
dfcdec5f43cc8d127084a2ac4d66499f13bae7f49167e3291a6f1a70738772d1(SHA256) - Tarball hash of @immobiliarelabs/[email protected]1e7b04a9a4a25eb7928821a5519b0a40f7afe0f6042a6860c918b62d369096ed(SHA256) - Malicious index.js hash in @immobiliarelabs/[email protected]7a879ed69a8191df5c68535f6ac41b830577b698de943c66ff40e51482d90d79(SHA256) - Tarball hash of @immobiliarelabs/[email protected]14253cd5b8acccbbacb5cd3bb0a099fb6b0aafe4d06d032e4070b3fb814677dd(SHA256) - Malicious index.js hash in @immobiliarelabs/[email protected]2f6cbe3a79148bc247131c36cd12689c97166a9d141dd9d9466270b4c04c3e3e(SHA256) - Tarball hash of @immobiliarelabs/[email protected]8a71e7d9b6b1b6d3e7bee490e98b34595ceea207160fc7ed35e47f82160febbe(SHA256) - Malicious index.js hash in @immobiliarelabs/[email protected]9df6bda43678708605dfaad35f02be8027e85e6aa38193704cf192f842f0d186(SHA256) - Tarball hash of @immobiliarelabs/[email protected]2ffed3b58bc267c438c759cd03b3e890904f25bacd015608f888c302741cad29(SHA256) - Malicious index.js hash in @immobiliarelabs/[email protected]720571b83600cd61080a7779e7f44327e4df4974d4a01475439d2e59e11ab29f(SHA256) - Tarball hash of @immobiliarelabs/[email protected]60099babe48a48831262b40d4c5c1dd623726060da10c1e2f74f191c9c4cd81d(SHA256) - Malicious index.js hash in @immobiliarelabs/[email protected]54086c0f23710ff45cb6bde498083d0a0098112aab9b0ef48e6e869a280f1b42(SHA256) - Tarball hash of @immobiliarelabs/[email protected]3b24b47a66b17d39fbdb7deccc329342b18cec6feb967adbaf80e81a70ecc609(SHA256) - Malicious index.js hash in @immobiliarelabs/[email protected]cc00c23768bee76e2f297c1766a013a681efb519888545352cff96fc5cead035(SHA256) - Tarball hash of @immobiliarelabs/[email protected]9d8ea3cefb942081a1409e842ddc541ccd65fb3e66a4f8dfe562ca8548dd09d9(SHA256) - Malicious index.js hash in @immobiliarelabs/[email protected]333f2e3753063447819a3c86cfc475fe4bd3f0a76c05262a61c3d18b50438bb5(SHA256) - Tarball hash of @immobiliarelabs/[email protected]99eb789284fa62e3f956e81294247ae82f596ebf481c069ae45019ac4e879927(SHA256) - Malicious index.js hash in @immobiliarelabs/[email protected]869ffe5400477ce69bbfd5f51ddd0c40eacad9a83005956fb14787a5e1e98330(SHA256) - Tarball hash of @immobiliarelabs/[email protected]7cd21d65d5a085d82d07275df9a66c6dfac4e13e43ea9ef44e84a3dd14ea1b3f(SHA256) - Malicious index.js hash in @immobiliarelabs/[email protected]24c578c2573bf7a04f69c4762a36a87fd32746e9db4df16b2ad92f31fbdd0d50(SHA256) - Tarball hash of @immobiliarelabs/[email protected]ca89ece660251554b66f1e5e9874410d206e0f080da3039e1221f1c71d817395(SHA256) - Malicious index.js hash in @immobiliarelabs/[email protected]89c218ca407c2d92359b53a9e3b7b973a761dcf323d2fa1cc2dc12c13f27afaf(SHA256) - Tarball hash of @immobiliarelabs/[email protected]ef89e81be6b9d81b9d4bc41dae5f10a7a68f33b17fd76affcf7dca2f5d50a843(SHA256) - Malicious index.js hash in @immobiliarelabs/[email protected]d1db13a14db489531e11ccf700d7fd8701f61ad297ce02477e11acf194d3fed0(SHA256) - Tarball hash of @immobiliarelabs/[email protected]8df5d46d91589e6a3ec8d87d6eea6c71fac103f9e10dff9b88c309c1e9129b07(SHA256) - Malicious index.js hash in @immobiliarelabs/[email protected]3667e7080c083563f6d05118d8b08f535b391fe2a5c0f98d5bd31f96257620f7(SHA256) - Tarball hash of @immobiliarelabs/[email protected]63667208bcd2d307b307e6df43bf8960ccb7058333d00ba064ed53f180ec32ea(SHA256) - Malicious index.js hash in @immobiliarelabs/[email protected]3809fd3a3a912abccaa7aa201880a2cfd194ae7f9dbdc747872cd045bcb3def5(SHA256) - Tarball hash of @immobiliarelabs/[email protected]0ccd7c44a6352f295f65ffea21c2472566f9e73c4dd1028fe0b9971314b18de6(SHA256) - Malicious index.js hash in @immobiliarelabs/[email protected]b38a73c365e5761fe0e7f25a391db3a264b1f2b4878a1c8cc127ba83d64e614c(SHA256) - Tarball hash of @immobiliarelabs/[email protected]0574f0bee78294a5f3495144ea6e05848c5fe8dcda11414e35c65aea46ce953b(SHA256) - Malicious index.js hash in @immobiliarelabs/[email protected]441d834d8a97b3d76bd7a9ac73174a18c1add1bf80b21319c0cb2d5737782e83(SHA256) - Tarball hash of @immobiliarelabs/[email protected]cf46348e7a4beacc0b9600c9ece3bee140f344641e90d99c741bc54507423443(SHA256) - Malicious index.js hash in @immobiliarelabs/[email protected]8284d9bd16c9141d331d3b724f9d57ae2cae265bf326055e18d5cde4bb5985b7(SHA256) - Tarball hash of @immobiliarelabs/[email protected]d2aa3f9057c6f3295766aabed0a71a369353d6eb665049a45fd407fd55020fdb(SHA256) - Malicious index.js hash in @immobiliarelabs/[email protected]7bc28ba4d33d010785a5289211ad6a0d968ec0abd56201d90d74921ad83d925d(SHA256) - Tarball hash of @immobiliarelabs/[email protected]8e83e3ece1a2a764a7c6fd78dd39cfb32cb38d22b7b3d92709cb5b87fa916403(SHA256) - Malicious index.js hash in @immobiliarelabs/[email protected]ef01e18ccf618a8992ad0aa4eb7d804bbacf9f092d43d39237f283a9a289c9b9(SHA256) - Tarball hash of @immobiliarelabs/[email protected]b82f5f6f1d969ba8f32937a3d81306c631defa943b7cc7529e45a0003340ece5(SHA256) - Malicious index.js hash in @immobiliarelabs/[email protected]b4f90f5515df39cf346bf436e284f2dae28c9341c035765d83d82a76c86922b7(SHA256) - Tarball hash of @immobiliarelabs/[email protected]1623787aa0de7310a4585101212b41ae02d02801ebda5812395932392400c756(SHA256) - Malicious index.js hash in @immobiliarelabs/[email protected]a16810f972f577f129f95f147e64aa4c70977035285d357a53958496c0531223(SHA256) - Tarball hash of @immobiliarelabs/[email protected]cf5d79494d8b1fdcb5480507eee8beeb2fcd69bcd9afcdc7dc1bcdda7461913e(SHA256) - Malicious index.js hash in @immobiliarelabs/[email protected]
- File Paths:
index.js- Root-level malicious index.js added to package tarballs; contains Caesar-shift loader and AES-128-GCM decryption for multi-stage payload — distinct from legitimate dist/index.cjs.js entrypointbinding.gyp- Phantom Gyp trigger file added to packages that should not require native builds; causes node-gyp to execute 'node index.js' without preinstall/postinstall hooks_index.js- Alternative obfuscated payload filename used in Miasma campaign; large obfuscated JavaScript payload to hunt for in npm packages.github/setup.js- Injected malicious script in GitHub Actions workflow directories; part of campaign's CI/CD abuse pattern.gemini/settings.json- AI coding assistant configuration file planted by payload for persistence in developer environments.claude- Claude AI coding assistant hooks directory planted by payload for persistence in developer IDE environments.vscode- VS Code tasks directory modified by payload for persistence in developer IDE environments
- Command Lines:
- Purpose: Initial payload execution via Phantom Gyp binding.gyp trick — node-gyp command expansion invokes node on the malicious root-level index.js without relying on preinstall or postinstall hooks | Tools:
node-gyp,node| Stage: Initial execution |node index.js - Purpose: Third-stage payload execution under Bun runtime — downloads Bun v1.3.13 if absent and executes final malware that steals credentials and exfiltrates via GitHub API | Tools:
bun| Stage: Payload delivery and credential theft
- Purpose: Initial payload execution via Phantom Gyp binding.gyp trick — node-gyp command expansion invokes node on the malicious root-level index.js without relying on preinstall or postinstall hooks | Tools:
- Other:
@immobiliarelabs/[email protected]- Malicious npm package version in Miasma campaign@immobiliarelabs/[email protected]- Malicious npm package version in Miasma campaign@immobiliarelabs/[email protected]- Malicious npm package version in Miasma campaign@immobiliarelabs/[email protected]- Malicious npm package version in Miasma campaign@immobiliarelabs/[email protected]- Malicious npm package version in Miasma campaign@immobiliarelabs/[email protected]- Malicious npm package version in Miasma campaign@immobiliarelabs/[email protected]- Malicious npm package version in Miasma campaign@immobiliarelabs/[email protected]- Malicious npm package version in Miasma campaign@immobiliarelabs/[email protected]- Malicious npm package version in Miasma campaign@immobiliarelabs/[email protected]- Malicious npm package version in Miasma campaign@immobiliarelabs/[email protected]- Malicious npm package version in Miasma campaign@immobiliarelabs/[email protected]- Malicious npm package version in Miasma campaign@immobiliarelabs/[email protected]- Malicious npm package version in Miasma campaign@immobiliarelabs/[email protected]- Malicious npm package version in Miasma campaign@immobiliarelabs/[email protected]- Malicious npm package version in Miasma campaign@immobiliarelabs/[email protected]- Malicious npm package version in Miasma campaign@immobiliarelabs/[email protected]- Malicious npm package version in Miasma campaign@immobiliarelabs/[email protected]- Malicious npm package version in Miasma campaigncodfish/semantic-release-action- Compromised third-party GitHub Action used for semantic-release automation; compromised on June 24, 2026 — attacker force-pushed malicious commits and repointed mutable version tags, potentially enabling downstream release automation compromiseservices-admin-pearhealthlabs- Attacker-controlled GitHub organization used for exfiltration repository creation; hundreds of public repos with randomized names created during ImmobiliareLabs compromise windowsimonecorsi- GitHub account associated with deployment-triggered 'Dependabot Updates' workflow run on June 26, 2026 at 15:00 UTC in immobiliare/backstage-plugin-gitlab repository; possibly compromised via codfish/semantic-release-actionRevokeAndItGoesKaboom- Campaign marker string used across Miasma waves; useful for clustering and huntingAlright Lets See If This Works- Campaign marker string used across Miasma waves; useful for clustering and hunting