Miasma Malware Hits npm Packages and GitHub Actions in Supply Chain Attack

Cybersecurity researchers at Socket have uncovered a new wave of the Mini Shai-Hulud, Miasma, and Hades malware campaign, this time targeting npm packages associated with LeoPlatform and RStreams, a Go module from the Verana Blockchain project, and abusing GitHub Actions workflows to exfiltrate CI/CD secrets. Twenty-six malicious npm packages—including hexo-deployer-wrangler@1.0.4, leo-auth@4.0.6, leo-sdk@6.0.19, serverless-leo@3.0.14, and rstreams-metrics@2.0.2—were published after the threat actor compromised an npm maintainer account known as "czirker," reportedly via leaked credentials, then pushed trojanized versions within a six-second window. The Go ecosystem was also hit through github.com/verana-labs/verana-blockchain@v0.10.1-dev.20, marking the malware family's expansion beyond JavaScript.

Unlike prior variants, the malicious packages lack a postinstall lifecycle hook in package.json and instead weaponize a binding.gyp file to execute arbitrary code at install time. The loader installs the Bun runtime if absent, then deploys a stealer payload designed to harvest developer credentials, npm tokens, GitHub PATs, and environment variables. The malware also includes a Russian locale killswitch and performs endpoint security detection evasion before activating its next-stage operations. Developers who suspect exposure of their npm or GitHub credentials should run their accounts through an email breach checker and verify any reused passwords with a password checker to determine compromise risk.

A central component of the campaign is the abuse of GitHub Actions and a public repository infrastructure used as a dead-drop resolver. The malware drops a workflow named "Run Copilot" to extract CI/CD secrets directly from runner memory, then uploads them to public GitHub repositories with the description "Alright Lets See If This Works"—a search that currently returns 559 matching repositories. The token relay marker has also evolved: earlier waves used strings like "IfYouInvalidateThisTokenItWillNukeTheComputerOfTheOwner," while this iteration uses "RevokeAndItGoesKaboom," a string also serving as a GitHub dead-drop resolver that chains stolen tokens into further supply chain propagation.

The attack demonstrates how the Miasma family continues to refine its tradecraft across multiple ecosystems by combining npm registry poisoning, install-time native binding abuse, Bun-staged JavaScript payloads, IDE and AI coding assistant persistence, and encrypted credential exfiltration. Organizations relying on LeoPlatform or RStreams dependencies—as well as any Go projects pulling from the affected Verana Blockchain module—are urged to audit lockfiles, rotate all secrets that may have been exposed in CI runners, pin package versions, and review GitHub Actions logs for anomalous "Run Copilot" workflow activity.