Emerging ThreatsSupply Chain Attacks

Miasma Malware Targets npm, GitHub in Expanded Supply Chain Attack

Analyst 207||Source: TheHackerNews
Developer workstation with laptop and subtle signs of supply chain breach.

As of this writing, 559 public GitHub repositories display the description "Alright Lets See If This Works," a signpost in a supply-chain campaign that researchers say is again harvesting developer credentials and weaponizing them across package registries and developer workflows.

Affected npm packages and the Verana Go module

Researchers catalogued a broad set of compromised packages across npm and one Go repository. The npm packages identified include:

  • hexo-deployer-wrangler@1.0.4
  • hexo-shoka-swiper@0.1.10
  • leo-auth@4.0.6
  • leo-aws@2.0.4
  • leo-cache@1.0.2
  • leo-cdk-lib@0.0.2
  • leo-cli@3.0.3
  • leo-config@1.1.1
  • leo-connector-elasticsearch@2.0.6
  • leo-connector-mongo@3.0.8
  • leo-connector-mysql@3.0.3
  • leo-connector-oracle@2.0.1
  • leo-connector-redshift@3.0.6
  • leo-cron@2.0.2
  • leo-logger@1.0.8
  • leo-sdk@6.0.19
  • leo-streams@2.0.1
  • prism-silq@1.0.1
  • rstreams-metrics@2.0.2
  • rstreams-shard-util@1.0.1
  • serverless-convention@2.0.4
  • serverless-leo@3.0.14
  • solo-nav@1.0.1

In addition, researchers reported a Go module compromise: github.com/verana-labs/verana-blockchain@v0.10.1-dev.20 (Go).

How the malicious packages execute: binding.gyp, Bun, and a JavaScript loader

Socket and other analysts say the packages deviate from a conventional package.json lifecycle hook and instead include a binding.gyp file that runs arbitrary code during installation. That code launches a JavaScript loader, which downloads and installs the Bun runtime if it is not present, then starts a stealer payload that harvests secrets, credentials, and tokens.

The malware checks for endpoint security software and contains a Russian-locale killswitch. It also drops a workflow named "Run Copilot" designed to capture CI/CD environment secrets from runner memory, then upload the stolen material to a public GitHub repository. Socket noted the repository description string that has proliferated: "Alright Lets See If This Works."

Token theft, dead drops, and the codfish/semantic-release-action compromise

Researchers tie the campaign to credential theft and rapid propagation. Socket reported that an npm developer account associated with LeoPlatform — the account name "czirker" in researchers' findings — was likely breached, allowing attackers to use the maintainer's npm token to push trojanized releases within a six‑second window.

The campaign uses token relay markers and GitHub dead-drop resolvers that have shifted over time. Earlier waves used strings such as "IfYouInvalidateThisTokenItWillNukeTheComputerOfTheOwner"; the latest artifacts use "RevokeAndItGoesKaboom." That marker appeared in connection with a recent compromise of the codfish/semantic-release-action GitHub Action.

StepSecurity documented a clear timeline for that incident: "On June 24, 2026 at 15:39:06 UTC, an attacker force-pushed a malicious commit to codfish/semantic-release-action and redirected several version tags to point at the malicious commit," the company said. "Any workflow that ran against one of these tags after that timestamp executed the attacker's payload directly inside the GitHub Actions runner. The payload steals GitHub OIDC tokens, harvests Personal Access Tokens matching known GitHub token patterns, encrypts the collected material with AES-128-GCM, and attempts to propagate a backdoor into other repositories accessible with the stolen credentials."

Why developer workflows and the Verana repository matter

JFrog highlighted the operational risk: "The Leo/RStreams package set is tied to cloud‑native and serverless workloads," the company said, adding that a compromise can expose developer workstations, CI/CD systems, AWS‑backed applications, GitHub repositories, package publishing credentials, and downstream package consumers.

Endor Labs and OX Security reported that the malware polls GitHub every hour for commits matching the string "firedalazer" to retrieve and execute a Hades variant. Socket emphasized that the Verana repository poisoning expands the campaign beyond npm. "Unlike the npm packages, this sample does not rely on binding.gyp," Socket explained, and warned that a developer who clones or opens the repository in a trusted IDE or AI coding assistant environment may trigger execution through project configuration.

What this means for security teams, maintainers, and CI/CD operators

  • Security teams and incident responders: Expect attacker tooling that searches for and reuses legitimate author tokens and CI/CD trust chains; StepSecurity's timeline shows rapid tag redirection and immediate payload execution inside runners.
  • Open-source maintainers and package publishers: A breached maintainer account can be used to push malicious releases in seconds, as researchers attribute to the "czirker" account for LeoPlatform packages. Protecting registry tokens and monitoring for unexpected pushes is critical.
  • CI/CD operators and repository owners: GitHub Actions runners are a target for in-memory secret harvesting and token exfiltration; the observed workflow name "Run Copilot" and the public dead-drop description string are practical indicators to hunt for.

The campaign’s technical continuity — reuse of a JavaScript loader, Bun installation, GitHub dead-drop markers, and hourly polling for a Hades payload — shows an operational cluster moving across package ecosystems by targeting developer workflows, not merely package-manager hooks. That pattern raises a blunt question for organizations that rely on open-source components and automated pipelines: how quickly can teams detect token misuse, revoke compromised credentials, and remove backdoors propagated through trusted workflows?

Original story

Credential HarvestingDeveloper ToolsEmerging ThreatsGithubNpmSupply ChainMalware OperationsPackage RegistryDevops SecurityMiasma Malware
Related Intelligence

Continue Reading

Southeast Asian cityscape with industrial control system hinted in background.

China-Linked Hackers Deploy TinyRCT Backdoor in Southeast Asian Infrastructure Attacks

For years, a stealthy China-linked hacking group has been quietly targeting critical infrastructure in Southeast Asia, with a clear strategic interest in disrupting or monitoring key regional industries. Their sophisticated attacks have zeroed in on state-owned energy and government sectors, using a potent tool called the TinyRCT backdoor.

Analyst 207
Hotel front desk with computer workstation and blurred laptop screen in background.

Microsoft Uncovers ZIP Phishing Campaign Targeting Hotels with Node.js Implant

Microsoft warns of a sneaky ZIP phishing campaign that's been targeting hotels across Europe and Asia since April 2026, using photo-themed attachments to deliver a Node.js implant to front-desk machines. The cleverly crafted emails, often written in Japanese, Danish, or Dutch, use urgent and reputation-focused themes to trick recipients into opening the malicious attachments.

Analyst 207
Smartphone lies on a plain surface with a blurred background, screen off.

Cellebrite Tool Used by Russia on Jailed Activist's iPhone Despite Sales Cutoff

Despite Cellebrite's claims to have cut off sales to Russia, a shocking forensics trail on a jailed activist's iPhone reveals that the company's tool was used to extract data as recently as June 2021. This alarming discrepancy raises serious questions about Cellebrite's control over its technology.

Analyst 207
Dimly lit office space with computer workstation, scattered papers, and RAR archive box, conveying targeted espionage.

Turla Unveils STOCKSTAY Backdoor in Ukraine Espionage Campaigns

Russian hackers, specifically the state-sponsored group Turla, have unleashed a new and stealthy backdoor called STOCKSTAY in a recent espionage campaign targeting Ukraine. This sneaky malware uses a secure WebSocket connection to communicate with its command center, making it a formidable tool for cyber spies.

Analyst 207