logo

Miasma Returns: Leo Platform Compromise in npm

ID: 8cda2d93-e1fa-5ad3-a4fd-6aebf13453ce

STIX ID: report--8cda2d93-e1fa-5ad3-a4fd-6aebf13453ce

Feed Name: Security Boulevard

Threat Score
78/100

Date Published: 2026-06-25

Date Updated: 2026-06-26

Author: Sonatype Security Research Team

...
...

Sonatype reports a resurgence of the "Shai-Hulud Miasma" npm supply-chain campaign in which a compromised maintainer account published malicious package versions (≈23) that abuse binding.gyp/node-gyp to execute during installation, enabling credential theft, persistence, and propagation through trusted publishing workflows; organizations should treat developer workstations, CI/CD runners, and build containers as potentially compromised, remove malicious versions, investigate install-time execution, and rotate credentials only after removing persistence.

Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.