# Miasma Malware Campaign Turns GitHub and npm Into a Supply‑Chain Weapon for Developers *Friday, June 26, 2026 at 12:10 PM UTC — Hamer Intelligence Services Desk* **Published**: 2026-06-26T12:10:53.586Z (3h ago) **Category**: cyber | **Region**: Global **Importance**: 7/10 **Sources**: OSINT **Permalink**: https://hamerintel.com/data/articles/8887.md **Source**: https://hamerintel.com/summaries --- **Deck**: A malware campaign linked to the Shai-Hulud group has moved beyond npm packages, with researchers uncovering 23 malicious npm modules, a related Go component tied to Verana Blockchain, and abuse of GitHub Actions to steal CI/CD secrets. For software teams, the threat is less about a single exploit than about malware hiding inside the very tools developers trust to build and ship code. This article explains how the operation works, who is exposed and why continuous-integration pipelines are becoming an attractive target. Developers’ own tools are being turned against them in a newly detailed malware campaign that corrupts open-source workflows at the source. Security researchers say a Shai-Hulud-linked operation dubbed "Miasma" has quietly seeded at least 23 malicious npm packages and a related Go module, while hijacking GitHub Actions to steal continuous-integration secrets and spread through trusted developer pipelines. The campaign initially focused on npm, the dominant package manager for JavaScript and Node.js, where attackers uploaded packages that appeared benign but contained hidden backdoors. Investigators have now traced the activity to a Go module connected to Verana Blockchain and, crucially, to GitHub Actions scripts that execute automatically in many development environments. By compromising these scripts, the malware can run in the context of a project’s build process, where it can access credentials, environment variables and signing keys that ordinary intruders struggle to reach. For engineering teams, the human impact is not abstract. A single compromised dependency can silently infect dozens or hundreds of internal projects, giving attackers a path from public code to private repositories, cloud accounts and production servers without any developer ever typing a suspicious command. CI/CD systems — the automated pipelines that test, build and deploy code — become a high-value target because they often hold the keys to the entire software estate. Operationally, the Miasma campaign shows how the attack surface has shifted from end users to the supply chains that feed them. Instead of tricking individual employees with phishing emails, adversaries insert malicious modules into public registries or abuse automation platforms like GitHub Actions. When a development team includes a compromised package or reuses a tainted workflow template, the malware can exfiltrate secrets during routine builds, modify artifacts en route to production, or implant persistent access for later use. The strategic stakes are significant for any organization that builds or runs software — from fintechs and exchanges to government agencies and industrial firms. Because npm and GitHub Actions are woven into countless open-source and commercial projects, the same technique could, in theory, reach cryptocurrency infrastructure, critical business applications, or tools used in defense and intelligence contexts. The challenge is that the very openness that makes these ecosystems powerful also makes them difficult to police: developers prize frictionless reuse of code and workflows, creating a wide attack window before malicious packages are detected and removed. For platform operators, the campaign adds pressure to detect and block abuse without undermining the flexibility that keeps developers loyal. npm registries and GitHub have security teams and automated scanners, but attackers are increasingly adept at mimicking legitimate publishing behavior, copying package names, and hiding payloads in obfuscated or delayed-execution code. The use of GitHub Actions ups the ante, because malicious behavior can be encoded in workflow files that appear to perform ordinary build or test tasks. A useful way to frame the risk is this: in modern software development, the weakest link may no longer be the employee who clicks a bad link, but the automated system that faithfully runs whatever code it is given. Once an attacker can write into that automation layer, every build can become an opportunity to steal data or plant new backdoors. Signals to watch in the coming days and weeks include whether additional malicious packages are identified and pulled from npm and related registries, whether GitHub introduces new safeguards or guidance around Actions security, and whether any major company or project discloses a breach tied to the Miasma indicators. Security teams will be looking closely at their dependency trees and CI configurations — and at how quickly the broader open-source community can adapt to an era where the build pipeline itself is under sustained attack.