socket-dev · Crawled Jul 5, 2026

Miasma Mini Shai-Hulud Hits ImmobiliareLabs npm Packages

71 IoCs
Read original article ↗

AI Summary

The Miasma Mini Shai-Hulud supply chain campaign has expanded to compromise legitimate @immobiliarelabs npm packages, specifically Backstage plugins for GitLab and LDAP authentication. Malicious versions were published on June 26, 2026, using a hidden root-level index.js to execute a multi-stage payload that steals developer and CI/CD secrets, including tokens, SSH keys, and cloud credentials. The attack leverages GitHub Actions deployment triggers and may have originated from a compromised third-party GitHub Action, codfish/semantic-release-action, enabling further propagation through poisoned workflows and exfiltration to attacker-controlled repositories.

AI-extracted · verify before operational use

Indicators of Compromise 71 extracted

Type Value Detail
Package @immobiliarelabs/backstage-plugin-gitlab@1.0.1 Details →
Package @immobiliarelabs/backstage-plugin-gitlab@2.1.2 Details →
Package @immobiliarelabs/backstage-plugin-gitlab@3.0.3 Details →
Package @immobiliarelabs/backstage-plugin-gitlab@4.0.2 Details →
Package @immobiliarelabs/backstage-plugin-gitlab@5.2.1 Details →
Package @immobiliarelabs/backstage-plugin-gitlab@6.13.1 Details →
Package @immobiliarelabs/backstage-plugin-gitlab@7.0.2 Details →
Package @immobiliarelabs/backstage-plugin-gitlab-backend@3.0.3 Details →
Package @immobiliarelabs/backstage-plugin-gitlab-backend@4.0.2 Details →
Package @immobiliarelabs/backstage-plugin-gitlab-backend@5.2.1 Details →
Package @immobiliarelabs/backstage-plugin-gitlab-backend@6.13.1 Details →
Package @immobiliarelabs/backstage-plugin-gitlab-backend@7.0.2 Details →
Package @immobiliarelabs/backstage-plugin-ldap-auth@1.1.4 Details →
Package @immobiliarelabs/backstage-plugin-ldap-auth@2.0.5 Details →
Package @immobiliarelabs/backstage-plugin-ldap-auth@3.0.2 Details →
Package @immobiliarelabs/backstage-plugin-ldap-auth@4.3.2 Details →
Package @immobiliarelabs/backstage-plugin-ldap-auth@5.2.1 Details →
Package @immobiliarelabs/backstage-plugin-ldap-auth-backend@1.1.3 Details →
Package @immobiliarelabs/backstage-plugin-ldap-auth-backend@2.0.5 Details →
Package @immobiliarelabs/backstage-plugin-ldap-auth-backend@3.0.2 Details →
Package @immobiliarelabs/backstage-plugin-ldap-auth-backend@4.3.2 Details →
Package @immobiliarelabs/backstage-plugin-ldap-auth-backend@5.2.1 Details →
SHA-256 dfcdec5f43cc8d127084a2ac4d66499f13bae7f49167e3291a6f1a70738772d1 Details →
SHA-256 1e7b04a9a4a25eb7928821a5519b0a40f7afe0f6042a6860c918b62d369096ed Details →
SHA-256 7a879ed69a8191df5c68535f6ac41b830577b698de943c66ff40e51482d90d79 Details →
SHA-256 14253cd5b8acccbbacb5cd3bb0a099fb6b0aafe4d06d032e4070b3fb814677dd Details →
SHA-256 2f6cbe3a79148bc247131c36cd12689c97166a9d141dd9d9466270b4c04c3e3e Details →
SHA-256 8a71e7d9b6b1b6d3e7bee490e98b34595ceea207160fc7ed35e47f82160febbe Details →
SHA-256 9df6bda43678708605dfaad35f02be8027e85e6aa38193704cf192f842f0d186 Details →
SHA-256 2ffed3b58bc267c438c759cd03b3e890904f25bacd015608f888c302741cad29 Details →
SHA-256 720571b83600cd61080a7779e7f44327e4df4974d4a01475439d2e59e11ab29f Details →
SHA-256 60099babe48a48831262b40d4c5c1dd623726060da10c1e2f74f191c9c4cd81d Details →
SHA-256 54086c0f23710ff45cb6bde498083d0a0098112aab9b0ef48e6e869a280f1b42 Details →
SHA-256 3b24b47a66b17d39fbdb7deccc329342b18cec6feb967adbaf80e81a70ecc609 Details →
SHA-256 a09909e8981e17712ef38b363f94553e2f86b6c2abd6c87eada94d3d3aab937e Details →
SHA-256 8746d49834ad938eebeaffd380b6302c94ab0b3258268c1a8c7e57ee7d5c11e1 Details →
SHA-256 333f2e3753063447819a3c86cfc475fe4bd3f0a76c05262a61c3d18b50438bb5 Details →
SHA-256 99eb789284fa62e3f956e81294247ae82f596ebf481c069ae45019ac4e879927 Details →
SHA-256 869ffe5400477ce69bbfd5f51ddd0c40eacad9a83005956fb14787a5e1e98330 Details →
SHA-256 7cd21d65d5a085d82d07275df9a66c6dfac4e13e43ea9ef44e84a3dd14ea1b3f Details →
SHA-256 24c578c2573bf7a04f69c4762a36a87fd32746e9db4df16b2ad92f31fbdd0d50 Details →
SHA-256 ca89ece660251554b66f1e5e9874410d206e0f080da3039e1221f1c71d817395 Details →
SHA-256 89c218ca407c2d92359b53a9e3b7b973a761dcf323d2fa1cc2dc12c13f27afaf Details →
SHA-256 ef89e81be6b9d81b9d4bc41dae5f10a7a68f33b17fd76affcf7dca2f5d50a843 Details →
SHA-256 cc00c23768bee76e2f297c1766a013a681efb519888545352cff96fc5cead035 Details →
SHA-256 9d8ea3cefb942081a1409e842ddc541ccd65fb3e66a4f8dfe562ca8548dd09d9 Details →
SHA-256 d1db13a14db489531e11ccf700d7fd8701f61ad297ce02477e11acf194d3fed0 Details →
SHA-256 8df5d46d91589e6a3ec8d87d6eea6c71fac103f9e10dff9b88c309c1e9129b07 Details →
SHA-256 3667e7080c083563f6d05118d8b08f535b391fe2a5c0f98d5bd31f96257620f7 Details →
SHA-256 63667208bcd2d307b307e6df43bf8960ccb7058333d00ba064ed53f180ec32ea Details →
SHA-256 3809fd3a3a912abccaa7aa201880a2cfd194ae7f9dbdc747872cd045bcb3def5 Details →
SHA-256 0ccd7c44a6352f295f65ffea21c2472566f9e73c4dd1028fe0b9971314b18de6 Details →
SHA-256 b38a73c365e5761fe0e7f25a391db3a264b1f2b4878a1c8cc127ba83d64e614c Details →
SHA-256 0574f0bee78294a5f3495144ea6e05848c5fe8dcda11414e35c65aea46ce953b Details →
SHA-256 441d834d8a97b3d76bd7a9ac73174a18c1add1bf80b21319c0cb2d5737782e83 Details →
SHA-256 cf46348e7a4beacc0b9600c9ece3bee140f344641e90d99c741bc54507423443 Details →
SHA-256 8284d9bd16c9141d331d3b724f9d57ae2cae265bf326055e18d5cde4bb5985b7 Details →
SHA-256 d2aa3f9057c6f3295766aabed0a71a369353d6eb665049a45fd407fd55020fdb Details →
SHA-256 7bc28ba4d33d010785a5289211ad6a0d968ec0abd56201d90d74921ad83d925d Details →
SHA-256 8e83e3ece1a2a764a7c6fd78dd39cfb32cb38d22b7b3d92709cb5b87fa916403 Details →
SHA-256 ef01e18ccf618a8992ad0aa4eb7d804bbacf9f092d43d39237f283a9a289c9b9 Details →
SHA-256 b82f5f6f1d969ba8f32937a3d81306c631defa943b7cc7529e45a0003340ece5 Details →
SHA-256 b4f90f5515df39cf346bf436e284f2dae28c9341c035765d83d82a76c86922b7 Details →
SHA-256 1623787aa0de7310a4585101212b41ae02d02801ebda5812395932392400c756 Details →
SHA-256 a16810f972f577f129f95f147e64aa4c70977035285d357a53958496c0531223 Details →
SHA-256 cf5d79494d8b1fdcb5480507eee8beeb2fcd69bcd9afcdc7dc1bcdda7461913e Details →
SHA-256 ef641e956f91d501b748085996303c96a64d67f63bfeef0dda175e5aa19cca90 Details →
Filename binding.gyp Details →
GitHub Repo codfish/semantic-release-action Details →
GitHub User simonecorsi Details →
Registry User services-admin-pearhealthlabs Details →