Socket Threat Research reported a fresh Miasma Mini Shai-Hulud supply chain compromise that hit legitimate @immobiliarelabs Backstage npm packages, including GitLab integration and LDAP authentication plugins, with malicious releases published on June 26, 2026. The campaign uses hidden JavaScript payloads, Bun execution, and GitHub Actions abuse to steal developer and CI/CD secrets and spread through additional repositories and package releases. #MiasmaMiniShaiHulud #ImmobiliareLabs #Backstage #GitHubActions #Bun
Keypoints
- Malicious npm versions were published under the @immobiliarelabs scope on June 26, 2026.
- Affected packages include Backstage GitLab and LDAP plugins plus their backend variants.
- The campaign is part of the ongoing Miasma Mini Shai-Hulud supply chain operation.
- Attackers hid a root-level index.js loader and used Bun to run a staged payload.
- The payload targets developer and CI/CD secrets such as GitHub, npm, cloud, SSH, Docker, and Vault credentials.
- GitHub Actions deployment-triggered workflows are a suspected propagation path, with codfish/semantic-release-action as a possible upstream lead.
- Socket observed related exfiltration repositories and warned that affected environments should be treated as compromised.
MITRE Techniques
- [T1059.007 ] JavaScript – The malicious package uses a JavaScript loader to decrypt and execute a hidden payload (‘root index.js is a single-line Caesar-shift loader followed by AES-128-GCM decryption’).
- [T1053.005 ] Scheduled Task/Job: Scheduled Task – The campaign abuses GitHub Actions workflows as an execution trigger (‘injects malicious workflow steps’ and ‘deployment-triggered workflows’).
- [T1552.001 ] Unsecured Credentials: Credentials in Files – The payload steals secrets from environment and config files (‘steals developer and CI/CD secrets: .env files’).
- [T1552.004 ] Unsecured Credentials: Private Keys – It targets SSH keys and similar sensitive authentication material (‘SSH keys, Docker credentials, Kubernetes configs’).
- [T1528 ] Steal Application Access Token – The payload targets npm, GitHub, and cloud tokens for reuse (‘npm/PyPI/GitHub/Slack/Twilio/AWS/Azure/GCP/Vault tokens’).
- [T1195.002 ] Compromise Software Supply Chain: Compromise Software Dependencies and Development Tools – The attacker publishes trojanized npm packages in trusted maintainer scope (‘malicious npm releases published across … package families’).
- [T1105 ] Ingress Tool Transfer – The malware downloads Bun if absent before executing the final stage (‘downloads if absent, and executes the final malware’).
- [T1003 ] OS Credential Dumping – The campaign aims to collect multiple categories of credentials from infected environments (‘steals developer and CI/CD secrets’).
Indicators of Compromise
- [Package names and versions ] Malicious npm releases under @immobiliarelabs scope – @immobiliarelabs/[email protected], @immobiliarelabs/[email protected], and other affected versions listed in the article
- [SHA-256 hashes ] Affected tarballs and index.js payloads – dfcdec5f43cc8d127084a2ac4d66499f13bae7f49167e3291a6f1a70738772d1, a09909e8981e17712ef38b363f94553e2f86b6c2abd6c87eada94d3d3aab937e, and 2 more hashes
- [SHA-256 hashes ] Malicious root-level loader and shared build artifact – 8746d49834ad938eebeaffd380b6302c94ab0b3258268c1a8c7e57ee7d5c11e1, ef641e956f91d501b748085996303c96a64d67f63bfeef0dda175e5aa19cca90
- [Campaign marker ] Obfuscated payload clustering string – thebeautifulsnadsoftime
- [GitHub workflow/repo activity ] Suspicious deployment-triggered release activity – immobiliare/backstage-plugin-gitlab, release.yml
- [Third-party action ] Possible upstream compromise path in release automation – codfish/semantic-release-action
- [Timestamps ] Publish window and workflow timing – June 26, 2026, including a 15:00 UTC deployment-triggered run
Read more: https://socket.dev/blog/miasma-mini-shai-hulud-hits-immobiliarelabs-npm-packages