Cybersecurity researchers are tracking a rapidly evolving supply chain attack campaign tied to the Mini Shai-Hulud, Miasma, and Hades malware family — one that has now compromised hundreds of npm packages, abused GitHub Actions workflows to publish trojanized packages with legitimate provenance attestations, and expanded its reach into the Go ecosystem. As of June 26, 2026, security firm Socket is tracking 448 affected artifacts across npm and PyPI, with the campaign operating continuously since June 1, pivoting delivery mechanisms every 48 to 72 hours.
Campaign Evolution: From Dune to Greek Mythology
The campaign began in April 2026 with two waves carrying Dune-themed naming — "Shai-Hulud: The Third Coming" (April 22) and "Mini Shai-Hulud" (April 29). By May, the threat group TeamPCP — tracked by Mandiant as UNC6780 — launched additional waves that compromised 323 npm packages in the @antv namespace on May 19.
The pivot to Greek mythology arrived in June. Attackers — now possibly including copy-cat actors following the public release of the full worm source code under an MIT license on May 12 — rebranded with repository descriptions reading "Miasma: The Spreading Blight" and "Hades - The End for the Damned." The source code release is a significant inflection point: what was once a private actor capability became reusable public attack infrastructure overnight, complicating attribution for subsequent waves.
The Latest Wave: Compromised Accounts and Trusted Pipelines
The June 1 wave exploited a compromised Red Hat employee GitHub account to push malicious orphan commits across multiple @redhat-cloud-services npm namespace packages. The attacker triggered GitHub Actions workflows to request OpenID Connect (OIDC) tokens, which were then used to publish trojanized npm packages bearing valid SLSA provenance attestations — effectively laundering malicious packages through trusted supply chain verification infrastructure.
Between June 5 and 7, the campaign crossed into enterprise territory. A recompromised contributor account pushed a malicious commit into Microsoft's Azure/durabletask GitHub repository, planting configuration files designed to execute a credential-harvesting payload the moment a developer opens the repository in Claude Code, Gemini CLI, Cursor, or VS Code. GitHub's automated enforcement responded by disabling 73 repositories across four Microsoft GitHub organizations in a 105-second sweep — including Azure/functions-action, the official GitHub Action for deploying Azure Functions, which went dark and broke CI/CD pipelines globally.
The most recent wave of malicious npm releases was published in a tight window on June 24, 2026, targeting LeoPlatform and RStreams packages tied to cloud-native and serverless workloads.
"Phantom Gyp": Bypassing Install-Script Security Checks
The current wave employs a novel evasion technique dubbed "Phantom Gyp" by StepSecurity researchers. Rather than using preinstall or postinstall lifecycle hooks — which security tools actively monitor — the attacker abuses a 157-byte binding.gyp file to trigger code execution during npm install. The file causes node-gyp rebuild to run, a legitimate build tool for compiling native Node.js add-ons. By hiding malicious commands inside the binding.gyp configuration rather than package lifecycle scripts, the attack bypasses most install-script security checks entirely.
The execution chain continues with Bun-staged malware: if Bun is not present on the system, the malware attempts to download it and runs the main payload via bun run. This exploits the fact that many Node.js security hooks and runtime controls do not inspect Bun execution with the same depth as Node itself.
The payload itself layers obfuscation:
- A Caesar-style letter shift with immediate
eval()execution - Decryption of embedded AES-GCM payloads
- JavaScript-obfuscator-style string hiding with lookup tables
Credential Exfiltration via GitHub Dead-Drops
The exfiltration infrastructure traces to the GitHub account liuende501, which hosts 236 repositories used as credential dead-drops. The malware creates a new repository on the fly (e.g., nemean-hydra-34343) and uploads stolen credentials as encrypted JSON files to a results/ directory. Critically, Miasma generates a uniquely encrypted payload for each individual infection, making traditional hash-based IOCs functionally useless across the campaign — the file signature changes with every package version.
The Hades variant, identified by Endor Labs and OX Security, adds C2 polling: the malware checks GitHub every hour for commits matching the string "firedalazer" to retrieve and execute updated payloads.
Expansion to the Go Ecosystem
The campaign's reach beyond npm is confirmed through the Verana Blockchain Go module compromise, which employs the same Miasma execution pattern without relying on native Go module resolution or build logic. As of June 19, a follow-up hunt identified 1,614 exfiltration repositories across 21 compromised GitHub accounts — a significant expansion of the campaign's credential-harvesting infrastructure.
Impact and Scale
| Metric | Count |
|---|---|
| Affected npm artifacts tracked by Socket | 411 (across 106 packages) |
| New PyPI wheels | 37 |
| Total artifacts tracked | 448 |
| Microsoft GitHub repos disabled | 73 |
| Exfiltration repos (June 19 hunt) | 1,614 |
| Compromised GitHub accounts (June 19) | 21 |
As JFrog noted, the LeoPlatform and RStreams package sets are tied to cloud-native and serverless workloads: "A compromise here can expose developer workstations, CI/CD systems, AWS-backed applications, GitHub repositories, package publishing credentials, and downstream package consumers."
Perhaps most concerning: the campaign has operated across multiple ecosystems with zero CVEs assigned for any artifact in the entire campaign. There is no patch to apply — only vigilance.
Recommended Mitigations
- Audit your
node_modulesfor the presence ofbinding.gypfiles in unexpected packages — particularly packages that do not require native compilation. - Review GitHub Actions workflows for unexpected OIDC token requests or permissions not explicitly required.
- Enable npm package provenance verification, but understand that Miasma has demonstrated the ability to bypass SLSA provenance through compromised publisher accounts.
- Monitor for Bun execution in CI/CD environments where Bun is not an expected runtime.
- Check for IoCs: search GitHub Activity logs for references to
liuende501or repository patterns likenemean-hydra-*. - Use StepSecurity Harden-Runner or similar tools to detect anomalous outbound network connections from GitHub Actions workflows.
- Pin GitHub Actions to commit SHAs rather than mutable tags to prevent hijacked action execution (e.g.,
uses: Azure/functions-action@<sha>instead of@v1).