New Malware Wave Hits npm, Go Ecosystems

A sophisticated supply chain attack linked to the Mini Shai-Hulud, Miasma, and Hades malware families has compromised a new wave of npm packages and spread to the Go ecosystem. Cybersecurity researchers at Socket reported that LeoPlatform and RStreams npm packages, as well as the Verana Blockchain Go module, were targeted. The campaign’s ultimate goal remains harvesting developer credentials to weaponize trusted workflows and spread further.

Consequently, a compromised npm developer account likely allowed the attackers to push trojanized versions of 23 listed packages within seconds. The malware uses a binding.gyp file to execute code during installation, launching a JavaScript loader that downloads the Bun runtime. This payload then steals secrets, credentials, and tokens from the infected environment.

Meanwhile, the attackers also abused GitHub Actions, creating a workflow named “Run Copilot” to capture CI/CD secrets. Stolen data is uploaded to public GitHub repositories with the description “Alright Lets See If This Works”, of which there are now 559. Furthermore, StepSecurity said the campaign compromised the “codfish/semantic-release-action” GitHub Action, using a similar token relay marker.

The attack pattern indicates a persistent operational cluster, as noted by Endor Labs and OX Security. JFrog highlighted that the payload isn’t radically new but continues to evolve its indicators. This expansion into the Go ecosystem shows the campaign is targeting developer workflows across multiple platforms.

✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.

Previous Articles:

• Barclays Raises Micron Target to $2000 After Stellar Earnings
• Schiff to MicroStrategy: Sell Bitcoin to Buy Back Shares
• Robinhood Closes $2.2 Billion Convertible Note Offering
• Anthropic Alleges Alibaba-led AI Model Theft from Claude
• STRC Plunges 26% Amid Law Firm Probe, Bitcoin Losses