socket-dev · Crawled Jul 5, 2026
Miasma Mini Shai-Hulud Hits LeoPlatform npm Packages and GitHub Actions, Expands to the Go Ecosystem
37 IoCs 1 Malware
Read original article ↗
AI Summary
A new wave of the Miasma Mini Shai-Hulud supply chain attack has compromised npm packages under LeoPlatform and RStreams, as well as a Go module associated with Verana Blockchain. The campaign uses malicious binding.gyp files in npm packages to trigger JavaScript execution during installation, stages payloads via Bun, and targets developer environments, CI/CD pipelines, and GitHub Actions for credential theft. It also spreads through poisoned repositories and source configurations, with persistence mechanisms targeting AI coding assistants and IDEs. The activity overlaps with prior incidents involving the same malware family and operational markers like 'RevokeAndItGoesKaboom'.
AI-extracted · verify before operational use
Extracted Entities 1 found
Indicators of Compromise 37 extracted
| Type | Value | Detail |
|---|---|---|
| SHA-256 | 32d1bc728d8e504952083a6adc488c309a401c7df4dc8f47b382ce32e4aebe21 | Details → |
| SHA-256 | 57ba86f6f0caaa580c1dccdf4ed7873d1470e5ea2f8e9ca7a989dc04899f13c0 | Details → |
| SHA-256 | 4a0aa78757958683155a7b9289427fb829abcad1bf5ee6399eb73e8409b0bc11 | Details → |
| SHA-256 | 026588d39b7c650b5c0dfbba6c6fcc0e7ec8e3b72ba8639012e7f71c708f2c3b | Details → |
| SHA-256 | df9ea0c71574e11c93141ad2f018a63a5375cd6d69ca2f744732ad7814170657 | Details → |
| SHA-256 | 1a3b9ed0b377f56f49b9a703612cf45e86ab7d100587e1e7a476d809fe337a8c | Details → |
| SHA-256 | f565988f281bf77bcad26ea7f543617e53da4b62f5df63d4f7a89bae1729cf81 | Details → |
| SHA-256 | a934a5bcf692b9d01e8129bf264be23809dfee464df471d75a9f3fa1bcede343 | Details → |
| SHA-256 | f7c47be306351ffacd46584d2067f7be676dbfe17cd89ab4880632decfe18f3d | Details → |
| SHA-256 | 3da2ca129c9920d9acd2e3477aee8f46b5a5f0e9537ad6e7b6ab1df1007adad1 | Details → |
| SHA-256 | b3e217f4354e8a4383038b99b0bcaeaff191a79df58e7a1f2355a79aac2faf13 | Details → |
| SHA-256 | 15b415ae41df72acf1f7e9e67569531d41dee62d089d34b4c0fab0c7fe5cc14f | Details → |
| SHA-256 | 6cb3fc3650355973b8a1ed86619a3f412fb0700f29c1c3a736cada4c2c76a9f7 | Details → |
| SHA-256 | 6a861a479f45fe53f067091414332248bc027ffc396116811d12e57a6ff71250 | Details → |
| SHA-256 | 927387d0cfac1118df4b383decc2ea6ba49c9d2f98b47098bcbcba1efc026e1f | Details → |
| SHA-256 | 1a0e1daeaea87cab5610a3cc2aa72e7c6f1abfe55959a156368bcfa6585fa6ce | Details → |
| SHA-256 | ceff7c51d70832c3ec8dd2744b606a23b3c924ef664ae23439b9b742ea154108 | Details → |
| SHA-256 | 9f93d77d32833a515bc406c46da477142bb1ac2babeecb6aa42f98669a6db015 | Details → |
| Filename | binding.gyp | Details → |
| Filename | _index.js | Details → |
| Filename | .github/setup.js | Details → |
| Filename | .claude/settings.json | Details → |
| Filename | .claude/setup.mjs | Details → |
| Filename | .gemini/settings.json | Details → |
| Filename | .cursor/rules/setup.md | Details → |
| Filename | .vscode/tasks.json | Details → |
| Package | leo-aws@2.0.4 | Details → |
| Package | leo-auth@4.0.6 | Details → |
| Package | leo-sdk@6.0.19 | Details → |
| Package | leo-logger@1.0.8 | Details → |
| Package | hexo-deployer-wrangler@1.0.4 | Details → |
| Package | hexo-shoka-swiper@0.1.10 | Details → |
| Package | prism-silq@1.0.1 | Details → |
| Package | github.com/verana-labs/verana-blockchain@v0.10.1-dev.20 | Details → |
| GitHub Repo | verana-labs/verana-blockchain | Details → |
| GitHub User | czirker | Details → |
| GitHub User | llxlr | Details → |
MITRE ATT&CK TTPs 9 techniques
T1021.003 Distributed Component Object Model · Lateral Movement T1059.001 PowerShell · Execution T1059.007 JavaScript · Execution T1071.001 Web Protocols · Command And Control T1078 Valid Accounts · Defense Evasion T1082 System Information Discovery · Discovery T1195.001 Compromise Software Dependencies and Development Tools · Initial Access T1554 Compromise Host Software Binary · Persistence T1555 Credentials from Password Stores · Credential Access