saas · TheHackerNews
Cybersecurity researchers have identified a new wave of supply chain attacks targeting npm packages and GitHub Actions, attributed to the Mini Shai-Hulud/Miasma/Hades malware family. The campaign compromised multiple npm packages associated with LeoPlatform and RStreams, as well as a Go module belonging to Verana Blockchain. According to reports from Socket, StepSecurity, Endor Labs, and JFrog, the attackers harvested developer credentials—likely through a breached npm account ("czirker")—to push malicious package versions. The malware uses binding.gyp files to execute code at install time, downloads the Bun runtime, and deploys JavaScript-based stealers that harvest secrets, tokens, and credentials. Stolen data is exfiltrated to public GitHub repositories via dead-drop infrastructure, and the campaign also abuses GitHub Actions workflows to capture CI/CD environment secrets.
For SaaS companies and startups managing open-source dependencies, this attack reinforces the criticality of supply chain risk under SOC2 audit scope (particularly in change management and incident response controls). Defense contractors handling CUI and subject to CMMC compliance should audit their software composition and ensure dependency verification processes are in place. All regulated entities relying on GitHub Actions and npm packages should review credential management practices and implement detection for suspicious workflow additions or unusual GitHub token exfiltration patterns. An Omniware engagement can help map these risks to your compliance posture and design controls to detect compromised dependencies before they reach production systems.
Source: TheHackerNews - https://thehackernews.com/2026/06/miasma-malware-targets-npm-packages-and.html
Source: TheHackerNews
All briefings