Miasma Mini Shai-Hulud Hits ImmobiliareLabs npm Packages
Miasma Mini Shai-Hulud supply chain campaign compromises 22 ImmobiliareLabs Backstage npm packages on June 26, 2026.
Summary
The Miasma Mini Shai-Hulud supply chain campaign expanded to compromise legitimate npm packages under the @immobiliarelabs scope, including Backstage plugins for GitLab integration and LDAP authentication. The attack followed the pattern of prior waves: compromising maintainer infrastructure, publishing malicious package versions with hidden JavaScript payloads, and stealing developer and CI/CD secrets. The campaign exploits a GitHub Actions privilege escalation via deployment-triggered workflows and a compromised third-party action (codfish/semantic-release-action) to gain access to npm publishing credentials.
Full text
Security News/ResearchMiasma Mini Shai-Hulud Hits LeoPlatform npm Packages and GitHub Actions, Expands to the Go EcosystemMini Shai-Hulud expands into the Go ecosystem after hitting LeoPlatform npm packages and targeting GitHub Actions workflows.By Socket Research Team - Jun 25, 2026
Indicators of Compromise
- hash_sha256 — dfcdec5f43cc8d127084a2ac4d66499f13bae7f49167e3291a6f1a70738772d1
- hash_sha256 — 1e7b04a9a4a25eb7928821a5519b0a40f7afe0f6042a6860c918b62d369096ed
- hash_sha256 — ef641e956f91d501b748085996303c96a64d67f63bfeef0dda175e5aa19cca90
- malware — Miasma Mini Shai-Hulud
- malware — Phantom Gyp