Mini Shai-Hulud Hits LeoPlatform npm Packages and GitHub Actions, Expands to the Go Ecosystem
Essential information
- Published
- 26/06/2026 05:57
- Modified
- —
- Source / Author
- AlienVault
- Confidence
- 100/100
- Report type(s)
- threat-report
- Labels / Tags
- bun runtime hades leoplatform miasma mini shai-hulud npm packages supply chain attack
- Related entities
- 18 indicators, 3 malware
Description
A sophisticated supply chain attack campaign linked to Mini Shai-Hulud, Miasma, and Hades malware has compromised LeoPlatform npm packages, GitHub Actions workflows, and the Verana Blockchain Go module. The attack employs binding.gyp install-time execution, Bun-staged JavaScript malware, and encrypted credential exfiltration targeting developer and CI/CD environments. Malicious packages were published through the czirker and llxlr npm accounts in a coordinated burst on June 24, 2026. The campaign steals credentials including npm tokens, GitHub tokens, cloud provider credentials, SSH keys, and AI coding assistant configurations. Attackers use GitHub as dead-drop infrastructure and inject persistence hooks into repositories through orphan branches and fake dependency-update workflows. The RevokeAndItGoesKaboom marker connects this wave to the codfish/semantic-release-action compromise, indicating shared operational tooling.