Security researchers are tracking an expanded version of the Miasma supply chain attack, a malware family linked to earlier Mini Shai-Hulud and Hades campaigns that continues to target software developers and open-source ecosystems. According to Socket, the latest operation compromised numerous npm packages tied to the LeoPlatform and RStreams projects while also extending into GitHub Actions workflows and a Go module associated with the Verana Blockchain project.
The attackers’ objective remains consistent: steal developer credentials, API tokens, CI/CD secrets, and repository access to compromise additional software projects. Researchers believe the campaign began with the takeover of a legitimate npm maintainer account, allowing malicious package versions to be published using trusted credentials. Once installed, the poisoned packages execute hidden code that downloads additional malware, harvests sensitive information, and establishes persistence within developer environments.
Beyond compromising local workstations, the malware specifically targets software delivery pipelines. It deploys malicious GitHub Actions workflows to extract secrets from CI/CD runners, steals GitHub authentication tokens, and attempts to propagate itself into other repositories accessible with compromised credentials. Investigators also linked the campaign to the recent compromise of the widely used codfish/semantic-release-action, where attackers redirected version tags to malicious code capable of harvesting GitHub OIDC tokens and personal access tokens before encrypting and exfiltrating the data.
Researchers note that the campaign is evolving beyond traditional package-manager attacks by targeting the broader developer workflow itself. The latest variants can execute through project configuration files, integrated development environments (IDEs), AI coding assistants, and cloned source repositories, reducing reliance on conventional installation hooks. This cross-platform approach enables attackers to move between npm, GitHub, and Go ecosystems while continuously modifying indicators to evade existing detections.
The discovery highlights the growing sophistication of software supply chain attacks, where trusted development infrastructure has become the primary target. Security experts recommend strengthening package verification, closely monitoring CI/CD pipelines, enforcing least-privilege access for automation tokens, and auditing third-party dependencies before integrating them into production environments.
