Miasma Mini Shai-Hulud Hits LeoPlatform npm Packages and GitHub Actions, Expands to the Go Ecosystem
A new wave of the Mini Shai-Hulud/Miasma/Hades supply chain attack campaign has compromised 23 npm packages across the LeoPlatform and RStreams ecosystems, plus the Verana Blockchain Go module. The attack uses binding.gyp install-time execution (Phantom Gyp pattern) to trigger multi-stage obfuscated JavaScript loaders that decrypt AES-GCM payloads, stage execution through Bun to evade Node.js security hooks, and steal developer/CI/CD credentials including npm, GitHub, cloud, and AI-agent tokens. The campaign also poisons GitHub Actions workflows and plants persistence hooks in AI coding assistant configurations, creating delayed execution surfaces that survive package remediation.
- sha256026588d39b7c650b5c0dfbba6c6fcc0e7ec8e3b72ba8639012e7f71c708f2c3b[email protected] — replaced index.js obfuscated loader
- sha25615b415ae41df72acf1f7e9e67569531d41dee62d089d34b4c0fab0c7fe5cc14fSHA-256 of .claude/index.js from Verana Go module; high-confidence decode-and-eval JavaScript loader
- sha2561a0e1daeaea87cab5610a3cc2aa72e7c6f1abfe55959a156368bcfa6585fa6ceDecoded first-stage JavaScript from Verana Go module; ROT-decoded loader prior to AES-GCM decryption
- sha2561a3b9ed0b377f56f49b9a703612cf45e86ab7d100587e1e7a476d809fe337a8cSHA-256 of replaced index.js in [email protected]; large one-line obfuscated JavaScript loader using ROT/AES-GCM/Bun staging
- sha25632d1bc728d8e504952083a6adc488c309a401c7df4dc8f47b382ce32e4aebe21SHA-256 of binding.gyp file shared across confirmed LeoPlatform/RStreams malicious npm package set; triggers node-gyp install-time execution
- sha2563da2ca129c9920d9acd2e3477aee8f46b5a5f0e9537ad6e7b6ab1df1007adad1[email protected] — malicious npm tarball
- sha2564a0aa78757958683155a7b9289427fb829abcad1bf5ee6399eb73e8409b0bc11[email protected] — malicious package.json with bun dependency added
- sha25657ba86f6f0caaa580c1dccdf4ed7873d1470e5ea2f8e9ca7a989dc04899f13c0[email protected] — replaced index.js obfuscated loader
- sha2566a861a479f45fe53f067091414332248bc027ffc396116811d12e57a6ff71250.claude/settings.json from Verana Go module; AI-agent persistence hook configuration
- sha2566cb3fc3650355973b8a1ed86619a3f412fb0700f29c1c3a736cada4c2c76a9f7Bun launcher scripts .claude/setup.mjs and .vscode/setup.mjs from Verana Go module
- sha256927387d0cfac1118df4b383decc2ea6ba49c9d2f98b47098bcbcba1efc026e1f.vscode/tasks.json from Verana Go module; VS Code folder-open task triggering node .claude/setup.mjs
- sha2569f93d77d32833a515bc406c46da477142bb1ac2babeecb6aa42f98669a6db015Decrypted main Miasma payload from Verana Go module; final-stage malware responsible for credential theft, exfiltration, and propagation
- sha256a934a5bcf692b9d01e8129bf264be23809dfee464df471d75a9f3fa1bcede343[email protected] — malicious npm tarball
- sha256b3e217f4354e8a4383038b99b0bcaeaff191a79df58e7a1f2355a79aac2faf13SHA-256 of verana-blockchain-v0.10.1-dev.20.zip archive; Go source-repository containing Miasma payload staged through VS Code folder-open task
- sha256ceff7c51d70832c3ec8dd2744b606a23b3c924ef664ae23439b9b742ea154108Decrypted Bun bootstrap payload from Verana Go module; stage that installs/resolves Bun and launches main payload
- sha256df9ea0c71574e11c93141ad2f018a63a5375cd6d69ca2f744732ad7814170657[email protected] — replaced index.js obfuscated loader
- sha256f565988f281bf77bcad26ea7f543617e53da4b62f5df63d4f7a89bae1729cf81[email protected] — malicious npm tarball
- sha256f7c47be306351ffacd46584d2067f7be676dbfe17cd89ab4880632decfe18f3d[email protected] — malicious npm tarball
Detection / Hunteropenrouter
What Happened
Attackers compromised legitimate software packages in the npm registry (a popular code-sharing platform for JavaScript developers) and a Go programming module, inserting hidden malware that activates when developers install or open these packages. The malware is designed to steal sensitive credentials like cloud service passwords, code repository tokens, and authentication keys from developer machines and automated build systems. It also plants hidden triggers in AI coding tools (like Claude, VS Code, and Cursor) so the malware can re-activate later even after the original packages are removed. The attack is notable for using the Bun runtime (an alternative to Node.js) to evade security tools that primarily monitor Node.js activity. Organizations using any of the affected packages should treat their systems as compromised, remove the malicious versions, rotate all exposed credentials, and audit their code repositories for injected files or workflow changes.
Key Takeaways
- Malicious npm packages published across LeoPlatform/RStreams ecosystems on June 24, 2026 using 'Phantom Gyp' binding.gyp install-time execution to trigger obfuscated JavaScript loaders without visible preinstall/postinstall scripts
- Multi-stage payload uses ROT decode + eval(), AES-GCM decryption, and Bun-staged execution to evade Node.js-focused security controls; malware actively checks for and may evade common EDR products including CrowdStrike, SentinelOne, Defender, Carbon Black
- Campaign expands beyond npm to Go ecosystem via Verana Blockchain module (github.com/verana-labs/[email protected]) with VS Code folder-open task triggering node .claude/setup.mjs
- Credential theft is comprehensive: .env files, npm/PyPI/GitHub/Slack/Twilio tokens, SSH keys, Docker/K8s/AWS/Azure/GCP/Vault credentials, shell history, CI secrets, and AI-agent configuration files
- AI coding assistant persistence (Claude, VS Code, Cursor, Gemini, Copilot) turns poisoned repositories into delayed execution surfaces that fire when developers open projects in IDEs
- Campaign marker RevokeAndItGoesKaboom links LeoPlatform compromise to codfish/semantic-release-action GitHub Actions compromise affecting 1,442 dependent repositories
Affected Systems
- npm/Node.js development environments
- GitHub Actions CI/CD runners
- Go development environments (Verana Blockchain)
- Developer workstations with VS Code, Claude, Cursor, Gemini, or Copilot
- macOS systems (LaunchAgent persistence target)
- Linux systems (systemd persistence target)
Vulnerabilities (CVEs)
None identified.
Attack Chain
- Initial Access: Attacker compromises npm publisher credentials (czirker, llxlr) and publishes malicious versions of 23 LeoPlatform/RStreams packages on June 24, 2026
- Execution: binding.gyp file triggers node-gyp during npm install, using command expansion to execute replaced index.js loader without visible preinstall/postinstall scripts
- Defense Evasion: Multi-stage obfuscation — ROT-style letter shift with immediate eval(), AES-GCM payload decryption, JavaScript-obfuscator-style string hiding with lookup tables
- Payload Staging: Bun runtime is installed or resolved if absent; main Miasma payload executes under bun run to evade Node.js-focused security controls
- Credential Access: Payload collects .env files, npm/PyPI/GitHub/Slack/Twilio tokens, SSH keys, Docker/K8s/AWS/Azure/GCP/Vault credentials, shell history, CI secrets, and AI-agent configuration files
- Persistence: AI coding assistant hooks planted for Claude, VS Code, Cursor, Gemini, Copilot; GitHub Actions workflows poisoned with fake Dependabot-like names and 'Run Copilot' workflow that dumps secrets into artifacts
- Exfiltration: Stolen data compressed and encrypted with AES-256-GCM + RSA-OAEP, uploaded via GitHub API content-upload paths; stolen credentials used for propagation across package registries and repositories
Detection Availability
- YARA Rules: No
- Sigma Rules: No
- Snort/Suricata Rules: No
- KQL Queries: No
- Splunk SPL Queries: No
- EQL Queries: No
- Other Detection Logic: No
The article does not provide specific detection rules but includes extensive SHA-256 file hashes, package names with versions, file path indicators, and campaign strings that can be used to build custom detections.
Detection Engineering Assessment
| Dimension | Rating | Rationale |
|---|---|---|
| EDR Visibility | Medium | The malware explicitly checks for CrowdStrike, SentinelOne, Defender, Carbon Black, Cylance, osquery, Tanium, Qualys and other EDR products. It stages execution through Bun rather than Node.js, which may bypass security hooks focused on node.exe process activity. However, process creation, file write, and registry modification events from EDR would still capture bun.exe spawning, file drops, and persistence mechanism installation. |
| Network Visibility | Medium | Exfiltration occurs via GitHub API (api.github.com) which blends with legitimate developer and CI/CD traffic. Bun download activity may be visible if Bun is not already installed. No dedicated C2 domains or IPs are described — all infrastructure abuse leverages legitimate GitHub services. |
| Detection Difficulty | Hard | The attack uses legitimate package manager infrastructure, legitimate GitHub API endpoints for exfiltration, multi-stage cryptographic obfuscation, Bun runtime to evade Node.js security controls, and AI-agent configuration files for delayed persistence. The binding.gyp execution pattern avoids visible preinstall/postinstall scripts. Campaign strings are embedded in obfuscated layers. Detection requires correlating package install events with subsequent process activity, file drops, and GitHub API behavior. |
Required Log Sources
- Process creation events (Sysmon EID 1 / EDR equivalent)
- File creation/modification events (Sysmon EID 11 / EDR equivalent)
- npm install logs and package-lock.json changes
- GitHub Actions workflow run logs
- GitHub audit logs for repository, workflow, and branch changes
- DNS resolution logs for Bun download domains
- HTTP proxy logs for api.github.com traffic
- VS Code / IDE extension and task execution logs
Hunting Hypotheses
| Hypothesis | Telemetry | ATT&CK Stage | FP Risk |
|---|---|---|---|
| Consider hunting for npm packages that newly introduce a binding.gyp file in versions where prior versions did not contain native build configuration, as this may indicate Phantom Gyp execution pattern abuse (T1195.002, T1059.007) | Package manifest diffs, npm registry metadata, CI/CD build logs showing node-gyp invocation | Initial Execution | Medium — legitimate packages may add native bindings in new versions, but sudden addition to pure JavaScript packages is suspicious |
| Consider hunting for bun.exe or bun process execution originating from npm install or node-gyp contexts, especially when Bun was not previously present on the host, as this may indicate Miasma payload staging (T1059.007) | Process creation events with parent-child relationship analysis, EDR process telemetry | Payload Staging | Low to Medium — Bun usage is growing but unexpected Bun installation triggered by npm install is anomalous |
| Consider hunting for GitHub Actions workflow runs that download Bun, create new repositories, or upload artifacts containing secret material, as these may indicate Miasma GitHub Actions abuse (T1525, T1071.001) | GitHub Actions workflow run logs, GitHub audit logs, artifact upload events | Exfiltration / Propagation | Medium — legitimate CI/CD workflows may create repositories or upload artifacts, but artifacts containing secret material are anomalous |
| Consider hunting for unexpected files in developer repositories at paths like .claude/setup.mjs, .claude/index.js, .vscode/tasks.json with folder-open tasks, .github/setup.js, or _index.js, as these may indicate Miasma AI-agent persistence hooks (T1547) | Repository file change monitoring, git commit diffs, IDE extension logs | Persistence | Low — these specific file paths and folder-open task configurations are uncommon in legitimate projects |
| Consider hunting for GitHub commit messages or repository content containing the strings RevokeAndItGoesKaboom, Alright Lets See If This Works, TheBeautifulSandsOfTime, thebeautifulmarchoftime, or thebeautifulsnadsoftime, as these are confirmed campaign markers (T1078) | GitHub commit search, repository content scanning, audit logs | Campaign Attribution | Low — these are specific campaign-unique strings unlikely to appear in legitimate development activity |
Control Gaps
- Node.js-focused security hooks and runtime controls may not observe Bun execution with sufficient depth
- binding.gyp install-time execution bypasses package.json preinstall/postinstall script monitoring
- GitHub API-based exfiltration blends with legitimate developer and CI/CD traffic on api.github.com
- AI coding assistant configuration files (.claude/, .vscode/, .cursor/, .gemini/) are rarely monitored by security tooling
- pull_request_target workflows with PR head checkout create privileged execution context for untrusted code
- Mutable GitHub Actions tags allow tag drift to attacker-controlled versions
- Package registry trusted publishing (OIDC) may grant excessive permissions if not scoped to specific workflows and branches
Key Behavioral Indicators
- node-gyp rebuild activity in npm packages that should be pure JavaScript (no native bindings)
- New bun dependency appearing in package.json of previously Bun-free packages
- Process ancestry: npm install -> node-gyp -> node index.js -> bun run (payload)
- Unexpected repository creation and content upload via GitHub API from CI/CD runner context
- GitHub Actions workflow named 'Run Copilot' that uploads artifacts potentially containing secrets
- Orphan snapshot-* branches pushed to repositories with fake dependency-update workflow names
- VS Code tasks.json with folder-open execution triggering node or bun commands
- Claude SessionStart hook pointing to .github/setup.js or similar payload file
- Sudden appearance of .claude/, .gemini/, .cursor/ configuration directories in repositories where they were not previously present
False Positive Assessment
- Low — The campaign uses specific package names with versions, unique SHA-256 hashes, distinctive campaign strings, and unusual file paths (.claude/setup.mjs, _index.js, binding.gyp in pure JS packages) that are unlikely to appear in legitimate development activity. The primary false positive risk comes from legitimate packages adding native bindings or developers intentionally using Bun, but the combination of indicators provides strong discrimination.
Recommendations
Immediate Mitigation
- Verify against your organization's incident response runbook and team escalation paths before acting. Identify every developer machine, CI runner, and build container that installed any affected package version and treat those environments as compromised until reviewed.
- Consider removing all affected npm package versions and rebuilding from a known-good lockfile that predates June 24, 2026.
- If any affected packages were installed, consider rotating npm, GitHub, PyPI, RubyGems, cloud (AWS/Azure/GCP), Vault, Kubernetes, Docker, SSH, Slack, Twilio, and CI/CD secrets — performing rotation from a clean machine, not from potentially infected hosts.
- Consider auditing repositories for injected workflows, AI-agent hooks, .github/setup.js, _index.js, orphan snapshot-* branches, suspicious Dependabot-like commits, and unexplained Bun usage.
- If your organization uses codfish/semantic-release-action, consider reviewing GitHub Actions runs for Bun downloads, unexpected repository creation, artifact uploads containing secret material, and GitHub API content-upload calls.
Infrastructure Hardening
- Consider pinning GitHub Actions to immutable full-length commit SHAs rather than mutable tags, and monitor for tag drift on critical actions.
- Evaluate whether pull_request_target workflows that check out pull request head code or run build/test commands on untrusted PR content can be replaced with pull_request triggers to eliminate 'pwn request' risk.
- Consider restricting npm trusted publishing and GitHub OIDC permissions to only the workflows and branches that require them.
- If supported by your tooling, consider implementing package allowlisting or proxying for npm installs in CI/CD environments to block known-malicious package versions.
- Evaluate whether GitHub API traffic from CI/CD runners can be monitored for anomalous repository creation and content upload patterns.
User Protection
- Consider deploying EDR coverage that monitors bun.exe process execution with the same depth as node.exe, including parent-child process correlation.
- If applicable, consider implementing file integrity monitoring on developer workstations for .claude/, .vscode/, .cursor/, and .gemini/ configuration directories.
- Evaluate whether IDE extensions and AI coding assistant tools can be configured to warn or block execution of tasks.json folder-open commands and SessionStart hooks from untrusted repositories.
- Consider providing developers with guidance on verifying repository contents before cloning or opening unfamiliar projects in IDEs.
Security Awareness
- Consider incorporating supply chain attack awareness into existing developer training programs, emphasizing that npm install can execute code through binding.gyp even without visible install scripts.
- If you have an existing awareness program, consider adding guidance on inspecting package changes (new dependencies, binding.gyp additions) before upgrading.
- Consider educating developers on the risk of AI coding assistant configuration files as persistence mechanisms and the importance of reviewing .claude/, .vscode/, .cursor/, and .gemini/ contents in cloned repositories.
- Where supported by your team structure, consider encouraging developers to report unexpected Bun installations, node-gyp activity in pure JavaScript packages, or unfamiliar IDE task configurations.
MITRE ATT&CK Mapping
- T1195.002 - Compromise Software Supply Chain
- T1059.007 - JavaScript
- T1027 - Obfuscated Files or Information
- T1552.001 - Credentials In Files
- T1552.004 - Private Keys
- T1036.005 - Match Legitimate Name or Location
- T1071.001 - Web Protocols
- T1547 - Boot or Logon Autostart Execution
- T1525 - Implant Internal Image
- T1078 - Valid Accounts
- T1513 - Credentials from Web Browsers
Additional IOCs
- File Hashes:
57ba86f6f0caaa580c1dccdf4ed7873d1470e5ea2f8e9ca7a989dc04899f13c0(SHA256) - [email protected] — replaced index.js obfuscated loader4a0aa78757958683155a7b9289427fb829abcad1bf5ee6399eb73e8409b0bc11(SHA256) - [email protected] — malicious package.json with bun dependency added026588d39b7c650b5c0dfbba6c6fcc0e7ec8e3b72ba8639012e7f71c708f2c3b(SHA256) - [email protected] — replaced index.js obfuscated loaderdf9ea0c71574e11c93141ad2f018a63a5375cd6d69ca2f744732ad7814170657(SHA256) - [email protected] — replaced index.js obfuscated loaderf565988f281bf77bcad26ea7f543617e53da4b62f5df63d4f7a89bae1729cf81(SHA256) - [email protected] — malicious npm tarballa934a5bcf692b9d01e8129bf264be23809dfee464df471d75a9f3fa1bcede343(SHA256) - [email protected] — malicious npm tarballf7c47be306351ffacd46584d2067f7be676dbfe17cd89ab4880632decfe18f3d(SHA256) - [email protected] — malicious npm tarball3da2ca129c9920d9acd2e3477aee8f46b5a5f0e9537ad6e7b6ab1df1007adad1(SHA256) - [email protected] — malicious npm tarball6cb3fc3650355973b8a1ed86619a3f412fb0700f29c1c3a736cada4c2c76a9f7(SHA256) - Bun launcher scripts .claude/setup.mjs and .vscode/setup.mjs from Verana Go module6a861a479f45fe53f067091414332248bc027ffc396116811d12e57a6ff71250(SHA256) - .claude/settings.json from Verana Go module; AI-agent persistence hook configuration927387d0cfac1118df4b383decc2ea6ba49c9d2f98b47098bcbcba1efc026e1f(SHA256) - .vscode/tasks.json from Verana Go module; VS Code folder-open task triggering node .claude/setup.mjs1a0e1daeaea87cab5610a3cc2aa72e7c6f1abfe55959a156368bcfa6585fa6ce(SHA256) - Decoded first-stage JavaScript from Verana Go module; ROT-decoded loader prior to AES-GCM decryptionceff7c51d70832c3ec8dd2744b606a23b3c924ef664ae23439b9b742ea154108(SHA256) - Decrypted Bun bootstrap payload from Verana Go module; stage that installs/resolves Bun and launches main payload
- File Paths:
binding.gyp- Added to npm packages that previously did not require native build behavior; triggers node-gyp install-time execution via command expansion_index.js- Large obfuscated payload file planted in GitHub repositories during LeoPlatform repository-level poisoning.github/setup.js- Payload file referenced by Claude SessionStart hook in poisoned repositories; may be nonfunctional/leftover campaign template.claude/settings.json- AI-agent persistence hook configuration planted in poisoned repositories.claude/setup.mjs- Bun launcher script planted in Go source repository; executed by VS Code folder-open task.claude/index.js- Large obfuscated JavaScript loader planted in Go source repository; decode-and-eval Miasma payload.gemini/settings.json- AI-agent persistence hook configuration for Gemini coding assistant.cursor/rules/setup.mdc- AI-agent persistence hook for Cursor IDE.vscode/tasks.json- VS Code task configuration with folder-open execution behavior triggering malware payload.vscode/setup.mjs- Bun launcher script planted in Go source repository; same hash as .claude/setup.mjs
- Command Lines:
- Purpose: Trigger malicious JavaScript loader during npm package installation via binding.gyp command expansion | Tools:
node-gyp,node| Stage: Initial Execution |node index.js - Purpose: Execute main Miasma payload through Bun runtime to evade Node.js-focused security hooks | Tools:
bun| Stage: Payload Staging |bun run - Purpose: Trigger malware payload when developer opens cloned repository in VS Code | Tools:
node,VS Code| Stage: Delayed Execution / Persistence |node .claude/setup.mjs
- Purpose: Trigger malicious JavaScript loader during npm package installation via binding.gyp command expansion | Tools:
- Other:
[email protected]- Malicious npm package in LeoPlatform ecosystem published June 24, 2026[email protected]- Malicious npm package in LeoPlatform ecosystem published June 24, 2026[email protected]- Malicious npm package in LeoPlatform ecosystem published June 24, 2026[email protected]- Malicious npm package in LeoPlatform ecosystem published June 24, 2026[email protected]- Malicious npm package in LeoPlatform ecosystem published June 24, 2026[email protected]- Malicious npm package in LeoPlatform ecosystem published June 24, 2026[email protected]- Malicious npm package in LeoPlatform ecosystem published June 24, 2026[email protected]- Malicious npm package in LeoPlatform ecosystem published June 24, 2026[email protected]- Malicious npm package in LeoPlatform ecosystem published June 24, 2026[email protected]- Malicious npm package in LeoPlatform ecosystem published June 24, 2026[email protected]- Malicious npm package in RStreams ecosystem published June 24, 2026[email protected]- Malicious npm package in RStreams ecosystem published June 24, 2026[email protected]- Malicious npm package in LeoPlatform ecosystem published June 24, 2026[email protected]- Malicious npm package in LeoPlatform ecosystem published June 24, 2026[email protected]- Malicious npm package published June 24, 2026[email protected]- Malicious npm package published by npm user llxlr on June 24, 2026[email protected]- Malicious npm package published by npm user llxlr on June 24, 2026[email protected]- Malicious npm package published by npm user llxlr on June 24, 2026github.com/verana-labs/[email protected]- Compromised Go module version containing Miasma payload staged through VS Code folder-open task and .claude/index.js loaderRevokeAndItGoesKaboom- Campaign marker used as operator token dead-drop channel in GitHub commits; links LeoPlatform compromise to codfish/semantic-release-action compromiseAlright Lets See If This Works- Campaign string associated with GitHub repository creation wave linked to Miasma activityTheBeautifulSandsOfTime- Campaign string in Miasma/Mini Shai-Hulud familythebeautifulmarchoftime- Campaign string in Miasma/Mini Shai-Hulud familythebeautifulsnadsoftime- Campaign string in Miasma/Mini Shai-Hulud family (note typo variant)