Miasma Mini Shai-Hulud Hits ImmobiliareLabs npm Packages
The Miasma Mini Shai-Hulud supply chain campaign compromised legitimate npm packages under the @immobiliarelabs scope, targeting Backstage plugins for GitLab integration and LDAP authentication. The attack affects 22 package versions across multiple releases and uses hidden payloads to bypass package reviews. It steals developer credentials and CI/CD secrets, exploiting GitHub Actions workflows for propagation. Stolen credentials include npm tokens, GitHub tokens, cloud credentials, SSH keys, and other authentication secrets, which are exfiltrated to attacker-controlled repositories. The campaign is linked to a compromised upstream GitHub Action (codfish/semantic-release-action) and leverages deployment-triggered workflows for execution.
AI Analysis
Technical Summary
This supply chain attack compromised npm packages under the @immobiliarelabs scope, specifically Backstage plugins used for GitLab integration and LDAP authentication. The malware uses sophisticated evasion techniques including hidden payloads that bypass standard package reviews. It steals a wide range of developer and CI/CD credentials such as npm tokens, GitHub tokens, cloud credentials, and SSH keys. The attack exploits a compromised upstream GitHub Action (codfish/semantic-release-action) and uses deployment-triggered GitHub Actions workflows to propagate within the ecosystem. The stolen credentials are exfiltrated to attacker-controlled repositories, enabling further compromise of developer infrastructure and continuous integration pipelines. No specific affected package versions are provided in the data. There is no indication of known exploits in the wild at this time.
Potential Impact
The attack compromises developer infrastructure by stealing sensitive credentials including npm tokens, GitHub tokens, cloud credentials, and SSH keys. This enables attackers to propagate malware through CI/CD pipelines and GitHub Actions workflows, potentially leading to widespread compromise of software supply chains that rely on the affected npm packages. The campaign undermines trust in the @immobiliarelabs npm packages and Backstage plugins used for GitLab and LDAP integration.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until official fixes or updates are released, users should audit their use of @immobiliarelabs npm packages, especially Backstage plugins for GitLab and LDAP, and review their CI/CD workflows for signs of compromise. Rotate all potentially exposed credentials including npm tokens, GitHub tokens, cloud credentials, and SSH keys. Monitor for unusual activity in GitHub Actions workflows and consider temporarily disabling or restricting deployment-triggered workflows linked to the compromised packages. Follow updates from the package maintainers and security advisories for official patches or mitigation instructions.
Indicators of Compromise
- hash: ef641e956f91d501b748085996303c96a64d67f63bfeef0dda175e5aa19cca90
- hash: 0574f0bee78294a5f3495144ea6e05848c5fe8dcda11414e35c65aea46ce953b
- hash: 0ccd7c44a6352f295f65ffea21c2472566f9e73c4dd1028fe0b9971314b18de6
- hash: 14253cd5b8acccbbacb5cd3bb0a099fb6b0aafe4d06d032e4070b3fb814677dd
- hash: 1623787aa0de7310a4585101212b41ae02d02801ebda5812395932392400c756
- hash: 1e7b04a9a4a25eb7928821a5519b0a40f7afe0f6042a6860c918b62d369096ed
- hash: 24c578c2573bf7a04f69c4762a36a87fd32746e9db4df16b2ad92f31fbdd0d50
- hash: 2f6cbe3a79148bc247131c36cd12689c97166a9d141dd9d9466270b4c04c3e3e
- hash: 2ffed3b58bc267c438c759cd03b3e890904f25bacd015608f888c302741cad29
- hash: 333f2e3753063447819a3c86cfc475fe4bd3f0a76c05262a61c3d18b50438bb5
- hash: 3667e7080c083563f6d05118d8b08f535b391fe2a5c0f98d5bd31f96257620f7
- hash: 3809fd3a3a912abccaa7aa201880a2cfd194ae7f9dbdc747872cd045bcb3def5
- hash: 3b24b47a66b17d39fbdb7deccc329342b18cec6feb967adbaf80e81a70ecc609
- hash: 441d834d8a97b3d76bd7a9ac73174a18c1add1bf80b21319c0cb2d5737782e83
- hash: 54086c0f23710ff45cb6bde498083d0a0098112aab9b0ef48e6e869a280f1b42
- hash: 60099babe48a48831262b40d4c5c1dd623726060da10c1e2f74f191c9c4cd81d
- hash: 63667208bcd2d307b307e6df43bf8960ccb7058333d00ba064ed53f180ec32ea
- hash: 720571b83600cd61080a7779e7f44327e4df4974d4a01475439d2e59e11ab29f
- hash: 7a879ed69a8191df5c68535f6ac41b830577b698de943c66ff40e51482d90d79
- hash: 7bc28ba4d33d010785a5289211ad6a0d968ec0abd56201d90d74921ad83d925d
- hash: 7cd21d65d5a085d82d07275df9a66c6dfac4e13e43ea9ef44e84a3dd14ea1b3f
- hash: 8284d9bd16c9141d331d3b724f9d57ae2cae265bf326055e18d5cde4bb5985b7
- hash: 869ffe5400477ce69bbfd5f51ddd0c40eacad9a83005956fb14787a5e1e98330
- hash: 8746d49834ad938eebeaffd380b6302c94ab0b3258268c1a8c7e57ee7d5c11e1
- hash: 89c218ca407c2d92359b53a9e3b7b973a761dcf323d2fa1cc2dc12c13f27afaf
- hash: 8a71e7d9b6b1b6d3e7bee490e98b34595ceea207160fc7ed35e47f82160febbe
- hash: 8df5d46d91589e6a3ec8d87d6eea6c71fac103f9e10dff9b88c309c1e9129b07
- hash: 8e83e3ece1a2a764a7c6fd78dd39cfb32cb38d22b7b3d92709cb5b87fa916403
- hash: 99eb789284fa62e3f956e81294247ae82f596ebf481c069ae45019ac4e879927
- hash: 9d8ea3cefb942081a1409e842ddc541ccd65fb3e66a4f8dfe562ca8548dd09d9
- hash: 9df6bda43678708605dfaad35f02be8027e85e6aa38193704cf192f842f0d186
- hash: a09909e8981e17712ef38b363f94553e2f86b6c2abd6c87eada94d3d3aab937e
- hash: a16810f972f577f129f95f147e64aa4c70977035285d357a53958496c0531223
- hash: b38a73c365e5761fe0e7f25a391db3a264b1f2b4878a1c8cc127ba83d64e614c
- hash: b4f90f5515df39cf346bf436e284f2dae28c9341c035765d83d82a76c86922b7
- hash: b82f5f6f1d969ba8f32937a3d81306c631defa943b7cc7529e45a0003340ece5
- hash: ca89ece660251554b66f1e5e9874410d206e0f080da3039e1221f1c71d817395
- hash: cc00c23768bee76e2f297c1766a013a681efb519888545352cff96fc5cead035
- hash: cf46348e7a4beacc0b9600c9ece3bee140f344641e90d99c741bc54507423443
- hash: cf5d79494d8b1fdcb5480507eee8beeb2fcd69bcd9afcdc7dc1bcdda7461913e
- hash: d1db13a14db489531e11ccf700d7fd8701f61ad297ce02477e11acf194d3fed0
- hash: d2aa3f9057c6f3295766aabed0a71a369353d6eb665049a45fd407fd55020fdb
- hash: dfcdec5f43cc8d127084a2ac4d66499f13bae7f49167e3291a6f1a70738772d1
- hash: ef01e18ccf618a8992ad0aa4eb7d804bbacf9f092d43d39237f283a9a289c9b9
- hash: ef89e81be6b9d81b9d4bc41dae5f10a7a68f33b17fd76affcf7dca2f5d50a843
Miasma Mini Shai-Hulud Hits ImmobiliareLabs npm Packages
Description
The Miasma Mini Shai-Hulud supply chain campaign compromised legitimate npm packages under the @immobiliarelabs scope, targeting Backstage plugins for GitLab integration and LDAP authentication. The attack affects 22 package versions across multiple releases and uses hidden payloads to bypass package reviews. It steals developer credentials and CI/CD secrets, exploiting GitHub Actions workflows for propagation. Stolen credentials include npm tokens, GitHub tokens, cloud credentials, SSH keys, and other authentication secrets, which are exfiltrated to attacker-controlled repositories. The campaign is linked to a compromised upstream GitHub Action (codfish/semantic-release-action) and leverages deployment-triggered workflows for execution.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This supply chain attack compromised npm packages under the @immobiliarelabs scope, specifically Backstage plugins used for GitLab integration and LDAP authentication. The malware uses sophisticated evasion techniques including hidden payloads that bypass standard package reviews. It steals a wide range of developer and CI/CD credentials such as npm tokens, GitHub tokens, cloud credentials, and SSH keys. The attack exploits a compromised upstream GitHub Action (codfish/semantic-release-action) and uses deployment-triggered GitHub Actions workflows to propagate within the ecosystem. The stolen credentials are exfiltrated to attacker-controlled repositories, enabling further compromise of developer infrastructure and continuous integration pipelines. No specific affected package versions are provided in the data. There is no indication of known exploits in the wild at this time.
Potential Impact
The attack compromises developer infrastructure by stealing sensitive credentials including npm tokens, GitHub tokens, cloud credentials, and SSH keys. This enables attackers to propagate malware through CI/CD pipelines and GitHub Actions workflows, potentially leading to widespread compromise of software supply chains that rely on the affected npm packages. The campaign undermines trust in the @immobiliarelabs npm packages and Backstage plugins used for GitLab and LDAP integration.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until official fixes or updates are released, users should audit their use of @immobiliarelabs npm packages, especially Backstage plugins for GitLab and LDAP, and review their CI/CD workflows for signs of compromise. Rotate all potentially exposed credentials including npm tokens, GitHub tokens, cloud credentials, and SSH keys. Monitor for unusual activity in GitHub Actions workflows and consider temporarily disabling or restricting deployment-triggered workflows linked to the compromised packages. Follow updates from the package maintainers and security advisories for official patches or mitigation instructions.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://socket.dev/blog/miasma-mini-shai-hulud-hits-immobiliarelabs-npm-packages"]
- Adversary
- null
- Pulse Id
- 6a3f2df93c2f6387d1b27726
- Threat Score
- null
Indicators of Compromise
Hash
| Value | Description | Copy |
|---|---|---|
hashef641e956f91d501b748085996303c96a64d67f63bfeef0dda175e5aa19cca90 | — | |
hash0574f0bee78294a5f3495144ea6e05848c5fe8dcda11414e35c65aea46ce953b | — | |
hash0ccd7c44a6352f295f65ffea21c2472566f9e73c4dd1028fe0b9971314b18de6 | — | |
hash14253cd5b8acccbbacb5cd3bb0a099fb6b0aafe4d06d032e4070b3fb814677dd | — | |
hash1623787aa0de7310a4585101212b41ae02d02801ebda5812395932392400c756 | — | |
hash1e7b04a9a4a25eb7928821a5519b0a40f7afe0f6042a6860c918b62d369096ed | — | |
hash24c578c2573bf7a04f69c4762a36a87fd32746e9db4df16b2ad92f31fbdd0d50 | — | |
hash2f6cbe3a79148bc247131c36cd12689c97166a9d141dd9d9466270b4c04c3e3e | — | |
hash2ffed3b58bc267c438c759cd03b3e890904f25bacd015608f888c302741cad29 | — | |
hash333f2e3753063447819a3c86cfc475fe4bd3f0a76c05262a61c3d18b50438bb5 | — | |
hash3667e7080c083563f6d05118d8b08f535b391fe2a5c0f98d5bd31f96257620f7 | — | |
hash3809fd3a3a912abccaa7aa201880a2cfd194ae7f9dbdc747872cd045bcb3def5 | — | |
hash3b24b47a66b17d39fbdb7deccc329342b18cec6feb967adbaf80e81a70ecc609 | — | |
hash441d834d8a97b3d76bd7a9ac73174a18c1add1bf80b21319c0cb2d5737782e83 | — | |
hash54086c0f23710ff45cb6bde498083d0a0098112aab9b0ef48e6e869a280f1b42 | — | |
hash60099babe48a48831262b40d4c5c1dd623726060da10c1e2f74f191c9c4cd81d | — | |
hash63667208bcd2d307b307e6df43bf8960ccb7058333d00ba064ed53f180ec32ea | — | |
hash720571b83600cd61080a7779e7f44327e4df4974d4a01475439d2e59e11ab29f | — | |
hash7a879ed69a8191df5c68535f6ac41b830577b698de943c66ff40e51482d90d79 | — | |
hash7bc28ba4d33d010785a5289211ad6a0d968ec0abd56201d90d74921ad83d925d | — | |
hash7cd21d65d5a085d82d07275df9a66c6dfac4e13e43ea9ef44e84a3dd14ea1b3f | — | |
hash8284d9bd16c9141d331d3b724f9d57ae2cae265bf326055e18d5cde4bb5985b7 | — | |
hash869ffe5400477ce69bbfd5f51ddd0c40eacad9a83005956fb14787a5e1e98330 | — | |
hash8746d49834ad938eebeaffd380b6302c94ab0b3258268c1a8c7e57ee7d5c11e1 | — | |
hash89c218ca407c2d92359b53a9e3b7b973a761dcf323d2fa1cc2dc12c13f27afaf | — | |
hash8a71e7d9b6b1b6d3e7bee490e98b34595ceea207160fc7ed35e47f82160febbe | — | |
hash8df5d46d91589e6a3ec8d87d6eea6c71fac103f9e10dff9b88c309c1e9129b07 | — | |
hash8e83e3ece1a2a764a7c6fd78dd39cfb32cb38d22b7b3d92709cb5b87fa916403 | — | |
hash99eb789284fa62e3f956e81294247ae82f596ebf481c069ae45019ac4e879927 | — | |
hash9d8ea3cefb942081a1409e842ddc541ccd65fb3e66a4f8dfe562ca8548dd09d9 | — | |
hash9df6bda43678708605dfaad35f02be8027e85e6aa38193704cf192f842f0d186 | — | |
hasha09909e8981e17712ef38b363f94553e2f86b6c2abd6c87eada94d3d3aab937e | — | |
hasha16810f972f577f129f95f147e64aa4c70977035285d357a53958496c0531223 | — | |
hashb38a73c365e5761fe0e7f25a391db3a264b1f2b4878a1c8cc127ba83d64e614c | — | |
hashb4f90f5515df39cf346bf436e284f2dae28c9341c035765d83d82a76c86922b7 | — | |
hashb82f5f6f1d969ba8f32937a3d81306c631defa943b7cc7529e45a0003340ece5 | — | |
hashca89ece660251554b66f1e5e9874410d206e0f080da3039e1221f1c71d817395 | — | |
hashcc00c23768bee76e2f297c1766a013a681efb519888545352cff96fc5cead035 | — | |
hashcf46348e7a4beacc0b9600c9ece3bee140f344641e90d99c741bc54507423443 | — | |
hashcf5d79494d8b1fdcb5480507eee8beeb2fcd69bcd9afcdc7dc1bcdda7461913e | — | |
hashd1db13a14db489531e11ccf700d7fd8701f61ad297ce02477e11acf194d3fed0 | — | |
hashd2aa3f9057c6f3295766aabed0a71a369353d6eb665049a45fd407fd55020fdb | — | |
hashdfcdec5f43cc8d127084a2ac4d66499f13bae7f49167e3291a6f1a70738772d1 | — | |
hashef01e18ccf618a8992ad0aa4eb7d804bbacf9f092d43d39237f283a9a289c9b9 | — | |
hashef89e81be6b9d81b9d4bc41dae5f10a7a68f33b17fd76affcf7dca2f5d50a843 | — |
Threat ID: 6a42401c27e9c797199e143c
Added to database: 06/29/2026, 09:51:24 UTC
Last enriched: 06/29/2026, 10:06:25 UTC
Last updated: 06/29/2026, 14:46:28 UTC
Views: 8
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.