PANews June 25 news, SlowMist security team issued an alert stating that a new Shai-Hulud/Miasma/Hades npm malware variant is affecting the npm ecosystem, and this variant is linked to the compromised npm developer account czirker. The attack campaign leverages a pre-configured binding.gyp file to execute malicious code during the npm install process. So far, 23 affected packages have been confirmed, among which leo-logger has a weekly download count of 3,140. As of the alert release, 408 affected GitHub repositories containing stolen credentials have been detected.

Attackers can steal GitHub tokens, npm tokens, AWS/GCP/Azure credentials, exfiltrate local environment data, abuse GitHub workflows, and further expand npm supply chain propagation. SlowMist recommends security teams immediately check lockfiles and package history, downgrade or remove affected packages, rotate all related keys and credentials, and enforce two-factor authentication.