216.73.216.197

Mini Shai-Hulud Hits LeoPlatform npm Packages and GitHub Actions, Expands to the Go Ecosystem

· Published 26/06/2026 05:57

Export JSON

Essential information

Published
26/06/2026 05:57
Modified
Source / Author
AlienVault
Confidence
100/100
Report type(s)
threat-report
Labels / Tags
bun runtime hades leoplatform miasma mini shai-hulud npm packages supply chain attack
Related entities
18 indicators, 3 malware

Description

A sophisticated campaign linked to , , and malware has compromised LeoPlatform , GitHub Actions workflows, and the Verana Blockchain Go module. The attack employs binding.gyp install-time execution, Bun-staged JavaScript malware, and encrypted credential exfiltration targeting developer and CI/CD environments. Malicious packages were published through the czirker and llxlr npm accounts in a coordinated burst on June 24, 2026. The campaign steals credentials including npm tokens, GitHub tokens, cloud provider credentials, SSH keys, and AI coding assistant configurations. Attackers use GitHub as dead-drop infrastructure and inject persistence hooks into repositories through orphan branches and fake dependency-update workflows. The RevokeAndItGoesKaboom marker connects this wave to the codfish/semantic-release-action compromise, indicating shared operational tooling.

External references