BTC $71,807
2026 Bull Run Is Building Start trading with 5% OFF all fees
Sign Up Now
BTC $71,807
Bull Run 2026 | 5% Off Fees Open your Binance account today
Sign Up

New Malware Wave Hits npm, Go Ecosystems

Sophisticated Mini Shai-Hulud supply chain attack expands from npm to Go ecosystem.

  • The Mini Shai-Hulud malware campaign has evolved, compromising new npm packages and now spreading to the Go ecosystem.
  • Over 20 npm packages and the Verana Blockchain Go module were infected to steal developer credentials and tokens.
  • The attackers used breached maintainer accounts to push malicious updates and propagate via GitHub Actions and dead-drop repositories.
  • Malicious code executes during installation, harvesting secrets and attempting to backdoor additional repositories with stolen access.

A sophisticated supply chain attack linked to the Mini Shai-Hulud, Miasma, and Hades malware families has compromised a new wave of npm packages and spread to the Go ecosystem. Cybersecurity researchers at Socket reported that LeoPlatform and RStreams npm packages, as well as the Verana Blockchain Go module, were targeted. The campaign’s ultimate goal remains harvesting developer credentials to weaponize trusted workflows and spread further.

- Advertisement -

Consequently, a compromised npm developer account likely allowed the attackers to push trojanized versions of 23 listed packages within seconds. The malware uses a binding.gyp file to execute code during installation, launching a JavaScript loader that downloads the Bun runtime. This payload then steals secrets, credentials, and tokens from the infected environment.

Meanwhile, the attackers also abused GitHub Actions, creating a workflow named “Run Copilot” to capture CI/CD secrets. Stolen data is uploaded to public GitHub repositories with the description “Alright Lets See If This Works”, of which there are now 559. Furthermore, StepSecurity said the campaign compromised the “codfish/semantic-release-action” GitHub Action, using a similar token relay marker.

The attack pattern indicates a persistent operational cluster, as noted by Endor Labs and OX Security. JFrog highlighted that the payload isn’t radically new but continues to evolve its indicators. This expansion into the Go ecosystem shows the campaign is targeting developer workflows across multiple platforms.

✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.

- Advertisement -

Previous Articles:

- Advertisement -
Ad
Altseason Is Loading. Don't watch from the sidelines.
SOL $90.51
DOGE $0.0963
LINK $9.02
SUI $1.00
5% off fees when you sign up
Start Trading
Ad
Pay Less on Every Trade. For Life.
$10K/mo volume Save $60/yr
$50K/mo volume Save $300/yr
$100K/mo volume Save $600/yr
5% off all trading fees when you sign up
Claim Your Discount

Latest News

EU adds 14 crypto firms to MiCA register in latest update

European authorities added 14 crypto companies to the MiCA framework register in the second...

CISA Adds Critical Microsoft SharePoint Flaw CVE-2026-58644 to KEV Catalog

CISA added a critical Microsoft SharePoint Server vulnerability, CVE-2026-58644, to its Known Exploited Vulnerabilities...

Bitcoin Bears Strike Again: BTC Rejected at $64k

Bitcoin (BTC) faced another rejection at the $64,000 resistance level, falling 1.7% in the...

Black: SpaceX acquiring Tesla would dilute shareholders 25%

Gary Black rejected speculation that SpaceX could acquire Tesla, warning such a deal could...

Bybit launches Indonesia platform after acquiring NOBI

Bybit launched a locally operated platform in Indonesia after acquiring a majority stake in...

Must Read

9 Best Trading Platforms for Crypto Beginners

Many newcomers to the crypto space are looking for platforms to buy, sell and exchange cryptocurrencies. While there are hundreds of crypto exchanges around...
Ad
Altseason Is Loading. These 4 coins are trending right now.
SOL $92.12
DOGE $0.0950
LINK $9.02
SUI $1.02
5% off spot fees when you sign up
Start Trading