Weekly review

ThreatNoir Morning Brief — June 26

2026-06-26Morning4 articles
Audio
Listen to the episode

Morning Review in IT Security — June 26, 2026

The software supply chain faces mounting pressure as multiple attack vectors converge on developer ecosystems. Today's threat landscape reveals sophisticated campaigns exploiting npm package registries, browser extensions, telecommunications infrastructure, and hospitality sector workflows simultaneously. Organizations across all sectors must reassess their dependency management and authentication protocols in light of these emerging threats.

Miasma Mini Shai-Hulud Expands Supply Chain Attack Across npm, GitHub Actions, and Go Modules

Socket Threat Research is tracking a coordinated supply chain attack wave affecting LeoPlatform and RStreams npm packages, GitHub Actions workflows, and Go modules. Source: Miasma Mini Shai-Hulud Hits LeoPlatform npm Packages and GitHub Actions, Expands to the Go Ecosystem

The campaign combines multiple attack techniques including npm registry poisoning, binding.gyp install-time execution, Bun-staged JavaScript malware, GitHub dead-drop infrastructure, and encrypted credential exfiltration. A rapid publish burst on June 24, 2026 delivered malicious versions of 23 npm packages including leo-auth, leo-aws, leo-sdk, leo-cli, and related data pipeline tools. The attack employs the "Phantom Gyp" execution pattern, where malicious binding.gyp files trigger node-gyp invocation during installation, allowing arbitrary code execution without visible preinstall or postinstall scripts in package.json.

The malware payload follows a multi-stage obfuscation pattern: Caesar-style letter shift with immediate eval() execution, AES-GCM decryption of embedded payloads, and JavaScript-obfuscator-style string hiding. The final payload executes through Bun, likely to evade Node.js-focused security hooks. Collection targets include .env files, npm and PyPI tokens, GitHub tokens, SSH keys, Docker authentication, Kubernetes configs, AWS credentials, and AI-agent configuration paths. The campaign also includes GitHub Actions targeting, searching for workflows that publish packages and attempting to steal secrets from runner contexts. A secondary finding identified the same payload family in github.com/verana-labs/verana-blockchain@v0.10.1-dev.20, with malicious code at .claude/index.js and VS Code folder-open task execution, demonstrating source-repository poisoning beyond package manager installation vectors.

Popular Chrome Ad Blocker Extension Harbors Remote Code Execution Capability

An analysis by Island has uncovered arbitrary JavaScript execution capability in Adblock for YouTube, a Chrome extension with over 10 million installations and a Featured badge on the Chrome Web Store. Source: Chrome Ad Blocker with 10M+ Installs Found with Dormant Script Injection Capability

The extension's dormant script injection capability represents a significant supply chain risk given its massive user base and trusted status within the Chrome ecosystem. The discovery raises questions about the security review processes for highly-installed extensions and the potential for latent malicious functionality to persist undetected within browser-based tools.

Polish Law Enforcement Dismantles SIM-Swapping Cybercrime Organization

Polish authorities have arrested four members of an organized cybercrime group responsible for breaching telecommunications partners and executing SIM-swapping attacks resulting in millions of dollars in cryptocurrency theft. Source: Poland busts SIM-swapping gang tied to millions in crypto theft

The operation highlights the critical vulnerability of telecommunications infrastructure as an attack vector for account takeover campaigns. By compromising telecom partners and hijacking email accounts, the group was able to bypass multi-factor authentication mechanisms relying on SMS-based verification, demonstrating the interconnected risks across communication and identity verification systems.

Photo ZIP Campaign Delivers Node.js Implant to Hospitality Organizations

Microsoft Threat Intelligence has identified an active multi-stage intrusion campaign targeting hospitality organizations across Europe and Asia using photo-themed ZIP archives and fake image shortcut files. Source: Photo ZIP campaign targeting hospitality industry delivers Node.js implant for persistent access

The campaign leverages social engineering to deliver a persistent Node.js implant designed to evade detection and establish long-term access within targeted environments. The hospitality sector's reliance on interconnected systems for reservations, payment processing, and guest management makes it an attractive target for attackers seeking sustained network presence and potential lateral movement opportunities.

As these campaigns demonstrate, modern threats exploit the entire software development and deployment lifecycle. Organizations must implement comprehensive security strategies encompassing package registry verification, browser extension auditing, telecommunications security hardening, and email-based threat detection to defend against the converging attack surface.

Sources & IOCs

Source articles and extracted indicators (defanged where appropriate).

Miasma Mini Shai-Hulud Hits LeoPlatform npm Packages and GitHub Actions, Expands to the Go Ecosystem
SHA-25617
  • 32d1bc728d8e…
    binding.gyp file in LeoPlatform/RStreams packages
  • 57ba86f6f0ca…
    index.js file in leo-logger@1.0.8
  • 4a0aa7875795…
    package.json file in leo-logger@1.0.8
  • 026588d39b7c…
    index.js file in leo-sdk@6.0.19
  • df9ea0c71574…
    index.js file in leo-auth@4.0.6
  • 1a3b9ed0b377…
    index.js file in leo-aws@2.0.4
  • f565988f281b…
    npm tarball for leo-sdk@6.0.19
  • a934a5bcf692…
    npm tarball for leo-auth@4.0.6
  • f7c47be30635…
    npm tarball for leo-aws@2.0.4
  • 3da2ca129c99…
    npm tarball for leo-cli@3.0.3
  • b3e217f4354e…
    verana-blockchain-v0.10.1-dev.20.zip archive
  • 15b415ae41df…
    .claude/index.js in Verana Blockchain module
  • 6cb3fc365035…
    .claude/setup.mjs and .vscode/setup.mjs in Verana Blockchain module
  • 927387d0cfac…
    .vscode/tasks.json in Verana Blockchain module
  • 1a0e1daeaea8…
    decoded first-stage JavaScript payload
  • ceff7c51d708…
    decrypted Bun bootstrap payload
  • 9f93d77d3283…
    decrypted main payload