Threat Intelligence Report: Mini Shai-Hulud, Miasma, and Hades Malware Targeting Developer Ecosystems

A sophisticated new wave of supply-chain attacks—driven by the Mini Shai-Hulud, Miasma, and Hades malware families—is currently targeting the npm ecosystems of LeoPlatform and RStreams. This campaign has evolved beyond simple registry poisoning, moving into high-impact source-repository compromises that target the very tools developers rely on daily.

The attack surface is broad and multi-layered. By blending registry poisoning with install-time execution via binding.gyp, leveraging Bun-staged JavaScript loaders, and abusing GitHub Actions, the threat actors have built an execution pattern designed to harvest sensitive developer and CI/CD secrets while propagating laterally across registries and repositories.

Technical Breakdown: The “Phantom Gyp” Vector

The primary infection vector observed in the LeoPlatform wave is a technique we refer to as the “Phantom Gyp” pattern. Unlike traditional malicious packages that use highly visible preinstall or postinstall scripts in their package.json, these packages omit those hooks to evade basic static analysis. Instead, they include a binding.gyp file. Because node-gyp is invoked automatically during the installation process to compile native addons, the attacker can use this window to trigger shell command expansion and achieve arbitrary code execution.

Once the installation is triggered, the package’s index.js is replaced by a minimalist, multi-stage loader. This loader employs several layers of obfuscation to hinder forensic analysis:

• ROT-style shifting: A simple character rotation to mask the first-stage loader.
• AES-GCM Decryption: Highly secure decryption of embedded payload blobs.
• Runtime Reconstruction: Utilizing javascript-obfuscator patterns to rebuild the malicious logic in memory.

Interestingly, the malware looks for the Bun runtime. If Bun is missing, the loader attempts to fetch or install it, subsequently executing the main payload via bun run. This is a strategic move: many existing Node.js security hooks and runtime protections have significantly weaker coverage when execution shifts to the Bun runtime.

Socket’s research links a rapid burst of activity on June 24, 2026, to an operational cluster previously known for targeting PyPI and bioinformatics research projects.

Credential Harvesting and Evasion

Once the Miasma/Hades payload is active, it begins an aggressive search for high-value credentials. The malware scans for:

• Cloud & Infrastructure: AWS, Azure, and GCP credentials; Docker and Kubernetes configurations; and HashiCorp Vault data.
• Development Secrets: .env files, npm/PyPI tokens, GitHub tokens, and SSH keys.
• Communication & Workflow: Slack and Twilio tokens, shell histories, and CI/CD secrets.
• IDE & AI Tools: Configuration files for IDEs and AI-driven coding assistants.

To maintain stealth, the malware performs environmental awareness checks. It probes for the presence of EDR and endpoint security tooling—including CrowdStrike, SentinelOne, Microsoft Defender, Carbon Black, osquery, Tanium, and Qualys—and employs locale-based guards to avoid executing in known forensic or sandbox environments.

Exfiltration is handled with extreme stealth. Instead of traditional outbound connections to suspicious IPs, the attackers use a “dead-drop” approach via the GitHub API. By creating repositories or uploading artifacts, they use commit messages and repo content as covert retrieval channels—a tactic seen previously in the RevokeAndItGoesKaboom campaign.

The Shai-Hulud Worm: GitHub Actions & IDE Weaponization

GitHub Actions are not just a target; they are a propagation mechanism. The malware specifically hunts for workflows responsible for publishing packages, attempting to siphon runner-scoped secrets directly from memory or the environment. Attackers have even pushed “poison” branches (e.g., snapshot-*) and fake Dependabot-like workflows containing large, obfuscated _index.js payloads to ensure persistence.

One particularly deceptive tactic involves using the name “Run Copilot” for GitHub Actions that actually exfiltrate secrets into uploaded artifacts. This tradecraft mirrors the codfish/semantic-release-action compromise, where attackers exploited mutable tags and Bun-run obfuscation to escalate impact.

The threat is not limited to Node.js. In the Verana Blockchain project, a Go module compromise was identified where payloads were hidden in a .claude folder. Here, the malware weaponizes developer workflows by using a VS Code “folder-open” task to invoke node .claude/setup.mjs, targeting the intersection of package ecosystems and AI coding assistants.

Mitigation and Response Strategy

If your environment has interacted with the affected packages, you must treat the entire system as compromised. We recommend the following immediate actions:

1. Forensic Preservation: Do not simply wipe machines; preserve logs and memory for analysis.
2. Identity Rotation: Rotate all exposed credentials (AWS, GitHub, npm, etc.) from a known-clean host.
3. Environment Rebuild: Identify all impacted developer machines and CI runners, then rebuild them from known-good lockfiles.
4. Repository Audit: Scrutinize your repos for injected workflows, unexpected .github/setup.js files, orphan branches, or unusual Bun usage.

For ongoing monitoring, you can follow the Socket tracking page for real-time updates on artifacts and related waves.

Indicators of Compromise (IoC)