32d1bc728d8e…binding.gyp file in LeoPlatform/RStreams packages57ba86f6f0ca…index.js file in leo-logger@1.0.84a0aa7875795…package.json file in leo-logger@1.0.8026588d39b7c…index.js file in leo-sdk@6.0.19df9ea0c71574…index.js file in leo-auth@4.0.61a3b9ed0b377…index.js file in leo-aws@2.0.4f565988f281b…npm tarball for leo-sdk@6.0.19a934a5bcf692…npm tarball for leo-auth@4.0.6f7c47be30635…npm tarball for leo-aws@2.0.43da2ca129c99…npm tarball for leo-cli@3.0.3b3e217f4354e…verana-blockchain-v0.10.1-dev.20.zip archive15b415ae41df….claude/index.js in Verana Blockchain module6cb3fc365035….claude/setup.mjs and .vscode/setup.mjs in Verana Blockchain module927387d0cfac….vscode/tasks.json in Verana Blockchain module1a0e1daeaea8…decoded first-stage JavaScript payloadceff7c51d708…decrypted Bun bootstrap payload9f93d77d3283…decrypted main payload
ThreatNoir Morning Brief — June 26
Morning Review in IT Security — June 26, 2026
The software supply chain faces mounting pressure as multiple attack vectors converge on developer ecosystems. Today's threat landscape reveals sophisticated campaigns exploiting npm package registries, browser extensions, telecommunications infrastructure, and hospitality sector workflows simultaneously. Organizations across all sectors must reassess their dependency management and authentication protocols in light of these emerging threats.
Miasma Mini Shai-Hulud Expands Supply Chain Attack Across npm, GitHub Actions, and Go Modules
Socket Threat Research is tracking a coordinated supply chain attack wave affecting LeoPlatform and RStreams npm packages, GitHub Actions workflows, and Go modules. Source: Miasma Mini Shai-Hulud Hits LeoPlatform npm Packages and GitHub Actions, Expands to the Go Ecosystem
The campaign combines multiple attack techniques including npm registry poisoning, binding.gyp install-time execution, Bun-staged JavaScript malware, GitHub dead-drop infrastructure, and encrypted credential exfiltration. A rapid publish burst on June 24, 2026 delivered malicious versions of 23 npm packages including leo-auth, leo-aws, leo-sdk, leo-cli, and related data pipeline tools. The attack employs the "Phantom Gyp" execution pattern, where malicious binding.gyp files trigger node-gyp invocation during installation, allowing arbitrary code execution without visible preinstall or postinstall scripts in package.json.
The malware payload follows a multi-stage obfuscation pattern: Caesar-style letter shift with immediate eval() execution, AES-GCM decryption of embedded payloads, and JavaScript-obfuscator-style string hiding. The final payload executes through Bun, likely to evade Node.js-focused security hooks. Collection targets include .env files, npm and PyPI tokens, GitHub tokens, SSH keys, Docker authentication, Kubernetes configs, AWS credentials, and AI-agent configuration paths. The campaign also includes GitHub Actions targeting, searching for workflows that publish packages and attempting to steal secrets from runner contexts. A secondary finding identified the same payload family in github.com/verana-labs/verana-blockchain@v0.10.1-dev.20, with malicious code at .claude/index.js and VS Code folder-open task execution, demonstrating source-repository poisoning beyond package manager installation vectors.
Popular Chrome Ad Blocker Extension Harbors Remote Code Execution Capability
An analysis by Island has uncovered arbitrary JavaScript execution capability in Adblock for YouTube, a Chrome extension with over 10 million installations and a Featured badge on the Chrome Web Store. Source: Chrome Ad Blocker with 10M+ Installs Found with Dormant Script Injection Capability
The extension's dormant script injection capability represents a significant supply chain risk given its massive user base and trusted status within the Chrome ecosystem. The discovery raises questions about the security review processes for highly-installed extensions and the potential for latent malicious functionality to persist undetected within browser-based tools.
Polish Law Enforcement Dismantles SIM-Swapping Cybercrime Organization
Polish authorities have arrested four members of an organized cybercrime group responsible for breaching telecommunications partners and executing SIM-swapping attacks resulting in millions of dollars in cryptocurrency theft. Source: Poland busts SIM-swapping gang tied to millions in crypto theft
The operation highlights the critical vulnerability of telecommunications infrastructure as an attack vector for account takeover campaigns. By compromising telecom partners and hijacking email accounts, the group was able to bypass multi-factor authentication mechanisms relying on SMS-based verification, demonstrating the interconnected risks across communication and identity verification systems.
Photo ZIP Campaign Delivers Node.js Implant to Hospitality Organizations
Microsoft Threat Intelligence has identified an active multi-stage intrusion campaign targeting hospitality organizations across Europe and Asia using photo-themed ZIP archives and fake image shortcut files. Source: Photo ZIP campaign targeting hospitality industry delivers Node.js implant for persistent access
The campaign leverages social engineering to deliver a persistent Node.js implant designed to evade detection and establish long-term access within targeted environments. The hospitality sector's reliance on interconnected systems for reservations, payment processing, and guest management makes it an attractive target for attackers seeking sustained network presence and potential lateral movement opportunities.
As these campaigns demonstrate, modern threats exploit the entire software development and deployment lifecycle. Organizations must implement comprehensive security strategies encompassing package registry verification, browser extension auditing, telecommunications security hardening, and email-based threat detection to defend against the converging attack surface.
Sources & IOCs
Source articles and extracted indicators (defanged where appropriate).