socket-dev · Crawled Jul 5, 2026

Miasma Mini Shai-Hulud Hits LeoPlatform npm Packages and GitHub Actions, Expands to the Go Ecosystem

37 IoCs 1 Malware
Read original article ↗

AI Summary

A new wave of the Miasma Mini Shai-Hulud supply chain attack has compromised npm packages under LeoPlatform and RStreams, as well as a Go module associated with Verana Blockchain. The campaign uses malicious binding.gyp files in npm packages to trigger JavaScript execution during installation, stages payloads via Bun, and targets developer environments, CI/CD pipelines, and GitHub Actions for credential theft. It also spreads through poisoned repositories and source configurations, with persistence mechanisms targeting AI coding assistants and IDEs. The activity overlaps with prior incidents involving the same malware family and operational markers like 'RevokeAndItGoesKaboom'.

AI-extracted · verify before operational use

Extracted Entities 1 found

Indicators of Compromise 37 extracted

Type Value Detail
SHA-256 32d1bc728d8e504952083a6adc488c309a401c7df4dc8f47b382ce32e4aebe21 Details →
SHA-256 57ba86f6f0caaa580c1dccdf4ed7873d1470e5ea2f8e9ca7a989dc04899f13c0 Details →
SHA-256 4a0aa78757958683155a7b9289427fb829abcad1bf5ee6399eb73e8409b0bc11 Details →
SHA-256 026588d39b7c650b5c0dfbba6c6fcc0e7ec8e3b72ba8639012e7f71c708f2c3b Details →
SHA-256 df9ea0c71574e11c93141ad2f018a63a5375cd6d69ca2f744732ad7814170657 Details →
SHA-256 1a3b9ed0b377f56f49b9a703612cf45e86ab7d100587e1e7a476d809fe337a8c Details →
SHA-256 f565988f281bf77bcad26ea7f543617e53da4b62f5df63d4f7a89bae1729cf81 Details →
SHA-256 a934a5bcf692b9d01e8129bf264be23809dfee464df471d75a9f3fa1bcede343 Details →
SHA-256 f7c47be306351ffacd46584d2067f7be676dbfe17cd89ab4880632decfe18f3d Details →
SHA-256 3da2ca129c9920d9acd2e3477aee8f46b5a5f0e9537ad6e7b6ab1df1007adad1 Details →
SHA-256 b3e217f4354e8a4383038b99b0bcaeaff191a79df58e7a1f2355a79aac2faf13 Details →
SHA-256 15b415ae41df72acf1f7e9e67569531d41dee62d089d34b4c0fab0c7fe5cc14f Details →
SHA-256 6cb3fc3650355973b8a1ed86619a3f412fb0700f29c1c3a736cada4c2c76a9f7 Details →
SHA-256 6a861a479f45fe53f067091414332248bc027ffc396116811d12e57a6ff71250 Details →
SHA-256 927387d0cfac1118df4b383decc2ea6ba49c9d2f98b47098bcbcba1efc026e1f Details →
SHA-256 1a0e1daeaea87cab5610a3cc2aa72e7c6f1abfe55959a156368bcfa6585fa6ce Details →
SHA-256 ceff7c51d70832c3ec8dd2744b606a23b3c924ef664ae23439b9b742ea154108 Details →
SHA-256 9f93d77d32833a515bc406c46da477142bb1ac2babeecb6aa42f98669a6db015 Details →
Filename binding.gyp Details →
Filename _index.js Details →
Filename .github/setup.js Details →
Filename .claude/settings.json Details →
Filename .claude/setup.mjs Details →
Filename .gemini/settings.json Details →
Filename .cursor/rules/setup.md Details →
Filename .vscode/tasks.json Details →
Package leo-aws@2.0.4 Details →
Package leo-auth@4.0.6 Details →
Package leo-sdk@6.0.19 Details →
Package leo-logger@1.0.8 Details →
Package hexo-deployer-wrangler@1.0.4 Details →
Package hexo-shoka-swiper@0.1.10 Details →
Package prism-silq@1.0.1 Details →
Package github.com/verana-labs/verana-blockchain@v0.10.1-dev.20 Details →
GitHub Repo verana-labs/verana-blockchain Details →
GitHub User czirker Details →
GitHub User llxlr Details →

MITRE ATT&CK TTPs 9 techniques