Miasma Mini Shai-Hulud Hits LeoPlatform npm Packages and GitHub Actions, Expands to the Go Ecosystem

MITRE Techniques

• [T1195.002 ] Compromise Software Supply Chain – The attackers poisoned npm packages and a Go module to distribute malicious payloads through trusted developer dependencies. (‘malicious npm releases’ and ‘source-repository compromise’)
• [T1059.007 ] JavaScript – The payload is delivered as obfuscated JavaScript and executed through index.js, eval(), and Bun. (‘executes JavaScript during the build configuration phase’ and ‘immediate eval() execution’)
• [T1055 ] Process Injection – No direct process injection is described in the article.
• [T1059.006 ] Command and Scripting Interpreter: JavaScript – The malware uses JavaScript loaders and hooks to execute staged code. (‘a large one-line JavaScript loader’)
• [T1106 ] Native API – The malicious binding.gyp leverages node-gyp and shell expansion to invoke commands during install/build steps. (‘npm automatically invokes node-gyp’ and ‘command expansion’)
• [T1027 ] Obfuscated Files or Information – The payload uses Caesar-style shifts, AES-GCM-encrypted blobs, lookup tables, and string hiding. (‘JavaScript-obfuscator-style string hiding’ and ‘obfuscated payload’)
• [T1027.009 ] Embedded Payloads – The malware decrypts embedded stages from within the loader. (‘decrypted AES-GCM payloads’)
• [T1059.001 ] PowerShell – No PowerShell activity is described in the article.
• [T1059.004 ] Unix Shell – The malware relies on shell expansion and command execution in the install path. (‘invokes a shell expansion’)
• [T1105 ] Ingress Tool Transfer – The malware attempts to download or install Bun if it is missing. (‘attempts to download or install it’)
• [T1021 ] Remote Services – The campaign abuses GitHub Actions, GitHub API behavior, and trusted developer workflows for spread and exfiltration. (‘GitHub Actions secret theft’ and ‘GitHub API behavior for staging and exfiltration’)
• [T1078 ] Valid Accounts – Stolen GitHub, npm, cloud, and CI/CD credentials are used for further access and propagation. (‘Package registry credentials allow malicious republishes’)
• [T1552 ] Unsecured Credentials – The payload collects secrets from .env files, tokens, SSH keys, cloud credentials, and CI secrets. (‘collects .env files, npm and PyPI tokens, GitHub tokens’)
• [T1560 ] Archive Collected Data – The campaign uploads artifacts containing stolen secrets from GitHub Actions runs. (‘dumping GitHub Actions secrets into an uploaded artifact’)
• [T1213 ] Data from Information Repositories – The malware searches repositories and GitHub commits for operational markers and dead-drop content. (‘GitHub commit search results’ and ‘dead-drop channel’)
• [T1098 ] Account Manipulation – The attackers alter repositories, add workflows, poison branches, and plant persistence hooks. (‘it can alter repositories, add workflows, poison branches’)
• [T1546 ] Event Triggered Execution – The malware uses folder-open tasks, Claude hooks, Cursor rules, and workflow hooks to trigger execution. (‘VS Code folder-open task’ and ‘Claude SessionStart hook’)
• [T1053.005 ] Scheduled Task/Job: Scheduled Task – The article does not describe Windows scheduled tasks, but it does mention workflow and folder-open execution triggers.
• [T1611 ] Escape to Host – Not explicitly described.
• [T1133 ] External Remote Services – The campaign targets cloud, CI/CD, and third-party service credentials such as AWS, Azure, GCP, Vault, Slack, and Twilio. (‘AWS credentials, Azure credentials, GCP credentials, Vault data’)

MITRE Techniques

• [T1195.002 ] Compromise Software Supply Chain – The attackers poisoned npm packages and a Go module to distribute malicious payloads through trusted developer dependencies. (‘malicious npm releases’ and ‘source-repository compromise’)
• [T1059.007 ] JavaScript – The payload is delivered as obfuscated JavaScript and executed through index.js, eval(), and Bun. (‘executes JavaScript during the build configuration phase’ and ‘immediate eval() execution’)
• [T1059.006 ] Command and Scripting Interpreter: JavaScript – The malware uses JavaScript loaders and hooks to execute staged code. (‘a large one-line JavaScript loader’)
• [T1106 ] Native API – The malicious binding.gyp leverages node-gyp and shell expansion to invoke commands during install/build steps. (‘npm automatically invokes node-gyp’ and ‘command expansion’)
• [T1027 ] Obfuscated Files or Information – The payload uses Caesar-style shifts, AES-GCM-encrypted blobs, lookup tables, and string hiding. (‘JavaScript-obfuscator-style string hiding’ and ‘obfuscated payload’)
• [T1027.009 ] Embedded Payloads – The malware decrypts embedded stages from within the loader. (‘decrypted AES-GCM payloads’)
• [T1105 ] Ingress Tool Transfer – The malware attempts to download or install Bun if it is missing. (‘attempts to download or install it’)
• [T1552 ] Unsecured Credentials – The payload collects secrets from .env files, tokens, SSH keys, cloud credentials, and CI secrets. (‘collects .env files, npm and PyPI tokens, GitHub tokens’)
• [T1560 ] Archive Collected Data – The campaign uploads artifacts containing stolen secrets from GitHub Actions runs. (‘dumping GitHub Actions secrets into an uploaded artifact’)
• [T1213 ] Data from Information Repositories – The malware searches repositories and GitHub commits for operational markers and dead-drop content. (‘GitHub commit search results’ and ‘dead-drop channel’)
• [T1098 ] Account Manipulation – The attackers alter repositories, add workflows, poison branches, and plant persistence hooks. (‘it can alter repositories, add workflows, poison branches’)
• [T1546 ] Event Triggered Execution – The malware uses folder-open tasks, Claude hooks, Cursor rules, and workflow hooks to trigger execution. (‘VS Code folder-open task’ and ‘Claude SessionStart hook’)
• [T1133 ] External Remote Services – The campaign targets cloud, CI/CD, and third-party service credentials such as AWS, Azure, GCP, Vault, Slack, and Twilio. (‘AWS credentials, Azure credentials, GCP credentials, Vault data’)