ctipilot.ch

Home · Live brief · Daily brief 2026-06-27

Miasma / "Mini Shai-Hulud" npm worm runs a new wave across LeoPlatform/RStreams packages

high threat discovered 2026-06-27 05:17 UTC

Entities: Mini Shai-Hulud TeamPCP

Part of run 2026-06-27-40e791d4 (intel · Claude Opus 4.8)

UPDATE — originally covered TeamPCP open-sources its Mini Shai-Hulud framework, spawning a new "Phantom Gyp" derivative (2026-06-09)

UPDATE (originally covered 2026-06-09): The Miasma / Mini Shai-Hulud / Hades supply-chain worm — last seen backdooring @redhat-cloud-services packages and the TeamPCP "Phantom Gyp" framework — ran a fresh wave on 2026-06-24: 23+ malicious versions across the LeoPlatform and RStreams serverless-data-pipeline npm ecosystems (leo-sdk, leo-auth, leo-aws, leo-cli) after the czirker publisher account was compromised, plus a Go-module compromise of Verana Blockchain (Socket Security, 2026-06-25).

The wave reuses the previously documented binding.gyp/node-gyp install-time execution to stage a Bun runtime that harvests .env files, npm/GitHub/cloud tokens, SSH keys and IDE/AI-agent configs, scraping GitHub Actions CI secrets (JFrog, 2026-06-26), and again carries the RevokeAndItGoesKaboom campaign marker that Socket ties to the earlier codfish/semantic-release-action compromise (documented by StepSecurity), where the malicious action searched GitHub commit messages bearing that string as an operator dead-drop channel (Socket Security, 2026-06-25). Any CH/EU team consuming these packages in CI should rotate all exposed CI/cloud credentials since 2026-06-20 and alert on node-gyp evaluating JavaScript from binding.gyp.

Update chain

supply-chain infostealer cloud organized-crime global