Today's cybersecurity headlines are brought to you by ThreatPerspective
Ethical Hacking News

Miasma Malware: A Sophisticated Supply Chain Attack Targeting npm Packages and GitHub Actions


The malware features a Russian locale killswitch and checks for the presence of endpoint security software. It drops a workflow named "Run Copilot" to capture CI/CD environment secrets from the runner memory.

  • Miasma Malware attacks npm packages to target developer credentials and spread across package registries.
  • The attack uses tactics from prior campaigns, including npm registry poisoning, binding.gyp install-time execution, and GitHub Actions secret theft.
  • A breach of an npm developer account associated with the LeoPlatform is suspected to be the entry point for the attack.
  • The malware features a Russian locale killswitch and checks for endpoint security software before dropping a workflow named "Run Copilot" to capture CI/CD environment secrets.
  • There are approximately 559 repositories matching the description "Alright Lets See If This Works", which is used by the malware to upload stolen data.



    • Miasma Malware, a sophisticated supply chain attack, has compromised a new set of npm packages, targeting developer credentials and weaponizing stolen data to spread across package registries, repositories, and trusted developer workflows. The attack leverages many tactics observed in prior campaigns, including npm registry poisoning, binding.gyp install-time execution, and GitHub Actions secret theft.

    Cybersecurity researchers have flagged the latest activity linked to the Mini Shai-Hulud, Miasma, and Hades malware family. The campaign has propagated to the Go ecosystem, affecting a new set of packages and expanding the scope of the attack beyond npm. The end goal of the campaign is to harvest developer or maintainer credentials and use them to spread across package registries, repositories, and trusted developer workflows.

    The list of affected packages includes hexo-deployer-wrangler@1.0.4, hexo-shoka-swiper@0.1.10, leo-auth@4.0.6, leo-aws@2.0.4, and several others. It is suspected that an npm developer account associated with the LeoPlatform was breached, likely via leaked credentials, to enable the attack. The threat actors were able to leverage an npm token belonging to the maintainer to push trojanized versions of the packages within a six-second window.

    The new wave leverages many of the tactics observed in prior campaigns, including npm registry poisoning and binding.gyp install-time execution. Malicious npm packages incorporate a binding.gyp file to execute arbitrary code during installation, resulting in the launch of a JavaScript loader that downloads and installs the Bun runtime if not present, and then initiates the stealer payload responsible for harvesting secrets, credentials, and tokens.

    The malware features a Russian locale killswitch and checks for the presence of endpoint security software. It drops a workflow named "Run Copilot" to capture CI/CD environment secrets from the runner memory. The information is then uploaded to a public GitHub repository with a description "Alright Lets See If This Works." As of writing, there are 559 repositories matching this description.

    The token relay marker has also witnessed a change in the latest iteration. While earlier waves used strings like "IfYouInvalidateThisTokenItWillNukeTheComputerOfTheOwner," the current artifact uses "RevokeAndItGoesKaboom," a string that has been used as GitHub dead drop resolver in connection with the recent compromise of the codfish/semantic-release-action GitHub Action.

    On June 24, 2026 at 15:39:06 UTC, an attacker force-pushed a malicious commit to codfish/semantic-release-action and redirected several version tags to point at the malicious commit. Any workflow that ran against one of these tags after that timestamp executed the attacker's payload directly inside the GitHub Actions runner.

    The malware also polls GitHub every hour for commits matching the string "firedalazer" to retrieve and execute the Hades variant of the malware. The Leo/RStreams package set is tied to cloud-native and serverless workloads, exposing developer workstations, CI/CD systems, AWS-backed applications, GitHub repositories, package publishing credentials, and downstream package consumers.

    The attack leverages many of the tactics observed in prior campaigns, including npm registry poisoning, binding.gyp install-time execution, Bun-staged JavaScript malware, GitHub dead-drop infrastructure, GitHub Actions secret theft, IDE and AI coding assistant persistence, and encrypted credential exfiltration. The malicious packages lack a lifecycle hook typically added to the package.json file but incorporate a binding.gyp file to execute arbitrary code during installation.

    The risk is source-repository execution: a developer who clones or opens the repository in a trusted IDE or AI coding assistant environment may trigger the payload through project configuration. This reinforces the larger campaign theme: Miasma is moving across package ecosystems by targeting developer workflows, not just package-manager install hooks.



    Related Information:
  • https://www.ethicalhackingnews.com/articles/Miasma-Malware-A-Sophisticated-Supply-Chain-Attack-Targeting-npm-Packages-and-GitHub-Actions-ehn.shtml

  • https://thehackernews.com/2026/06/miasma-malware-targets-npm-packages-and.html


    • Published: Fri Jun 26 07:27:37 2026 by llama3.2 3B Q4_K_M


    © Ethical Hacking News . All rights reserved.

    Privacy | Terms of Use | Contact Us