The self-replicating supply chain campaign that began with Shai-Hulud in late 2025 has mutated again, and the newest variant breaks the assumption that has anchored most npm defenses for a year. Researchers tracking the Mini Shai-Hulud, Miasma, and Hades malware family report a fresh wave of compromised npm packages that has now propagated into the Go ecosystem — and a delivery method that no longer depends on a package-manager install hook to run.
What changed this week
Socket flagged the latest activity as malicious npm releases affecting the LeoPlatform and RStreams packages, abuse of GitHub Actions workflows, and a related Go module compromise tied to the Verana Blockchain project. The objective is unchanged from earlier waves: harvest developer and maintainer credentials, then use the stolen tokens to republish trojanized versions across registries and repositories. What is new is the reach. The campaign is no longer scoped to a single language registry — it is following developers across ecosystems.
The npm foothold appears to have come from a compromised maintainer account associated with LeoPlatform, breached most likely through leaked credentials. With that account’s npm token in hand, the attackers pushed trojanized package versions inside a six-second window — fast enough that the version bump looked like routine maintenance.
The trigger moved out of the install step
For the past year, the standard mitigation against this malware family has been to lock down lifecycle scripts: disable preinstall and postinstall hooks in CI, pin dependencies, and assume the danger lives at install time. The Go sample breaks that model.
According to Socket, the Go compromise does not rely on binding.gyp or native module build logic the way the npm packages do. Instead the risk is source-repository execution. A developer who simply clones or opens the affected repository in a trusted IDE — or an AI coding assistant environment — can trigger the payload through project configuration alone. No npm install required. The researchers framed it as the campaign’s larger theme: Miasma is spreading by targeting developer workflows, not just package-manager install hooks.
That detail is why this story is dominating the feeds. The attack surface has quietly expanded to include the act of opening a project in an editor that auto-evaluates configuration — exactly the behavior modern AI-assisted development relies on.
How the payload behaves
The GitHub Actions vector shows the operational discipline behind the campaign. StepSecurity documented that on June 24, an attacker force-pushed a malicious commit to a widely used release-automation action and redirected several version tags to point at it. Any workflow that ran against one of those tags afterward executed the attacker’s code directly inside the GitHub Actions runner. From there the payload steals GitHub OIDC tokens, scrapes Personal Access Tokens matching known GitHub patterns, encrypts the haul with AES-128-GCM, and attempts to seed a backdoor into every other repository the stolen credentials can reach.
The malware also maintains a retrieval channel: Endor Labs and OX Security observed it polling GitHub hourly for commits matching a specific marker string, pulling down and executing the Hades variant on demand. The structure points to a single operational cluster reusing tooling across all of these incidents rather than unrelated copycats — though copycats are also in play, since the worm’s source code was published publicly back in May and has been circulating ever since.
Why this keeps escalating
Shai-Hulud started in September 2025 as a worm that compromised more than 500 npm packages and prompted a CISA alert. Each subsequent wave has changed just enough to blunt stale detection signatures while keeping the same credential-harvesting, self-propagating core. Some earlier variants shipped a destructive fallback that wiped a user’s home directory if their exfiltration channel was cut. The through-line is that the attackers are not chasing a clever new exploit — they are weaponizing the trust baked into open-source publishing rights, and they keep finding fresh ground to spread on. The Go jump and the IDE-trigger technique are the latest iteration of that pattern.
What to do about it
The familiar guidance still applies and matters more than ever: rotate npm tokens, GitHub PATs, and cloud credentials; enforce phishing-resistant MFA on every developer and CI account; pin dependencies to known-clean versions; restrict lifecycle scripts in CI/CD; and limit outbound network access from build systems to trusted domains with short-lived, scoped automation tokens.
But the workflow-execution angle adds a new line item. If opening a repository can run code, then treating untrusted repos as inert until you install them is no longer safe. Teams should be cautious about cloning and opening unfamiliar projects in editors or AI assistants that auto-evaluate project configuration, sandbox that activity where possible, and watch for the GitHub Actions tag-redirect pattern that let this wave into the pipeline in the first place. The install step was never the only door — this campaign is making that explicit.
Leave a Reply