New Malware Hits npm and GitHub in Supply Chain Attack

Robert Moore · 2026-06-26

Cybersecurity researchers have spotted the latest twist in an ongoing supply chain attack. It’s tied to the Mini Shai-Hulud, Miasma, and Hades malware family, and it’s already hit a fresh batch of npm packages. Worse, it’s now spreading into the Go ecosystem. This isn’t just another headline. It’s a real threat that affects developers and businesses relying on open-source tools. Let’s break down what’s happening and why you should care. ### What’s New in This Attack? The attack has evolved beyond simple package compromises. The latest activity includes malicious npm releases that target two specific packages: LeoPlatform and RStreams. These aren’t obscure libraries—they’re used in real-world projects. On top of that, attackers are abusing GitHub Actions workflows. This means they’re not just planting bad code; they’re hijacking automated processes to spread the malware further. And now, a related Go package has been found, signaling a move into a whole new ecosystem. ### Why This Matters for Developers If you’re a developer, this hits close to home. Supply chain attacks are sneaky because they target the tools you trust. When a popular npm package gets compromised, every project that depends on it becomes a potential victim. Here’s what makes this particular attack dangerous: - **Wide reach**: It affects both npm and Go ecosystems, covering two major development communities. - **Automation abuse**: GitHub Actions workflows are used for CI/CD pipelines, so the malware can spread automatically. - **Stealth**: The malware family is known for hiding its tracks, making it hard to detect. “This is a reminder that no package is safe,” says Robert Moore, Lead Antidetect Browser Specialist & Digital Privacy Strategist. “You need to verify every dependency, even from trusted sources.” ### How to Protect Your Projects You don’t have to panic, but you should take action. Here are practical steps to safeguard your work: - **Audit your dependencies**: Regularly check your package.json or go.mod files for suspicious entries. Use tools like npm audit or Snyk to scan for known vulnerabilities. - **Pin your versions**: Avoid using wildcard versions like "*" or "^1.0.0". Pin exact versions to prevent automatic updates to compromised packages. - **Monitor GitHub Actions**: Review your workflow files. Don’t run untrusted actions or scripts without vetting them first. - **Use antidetect browsers**: If you’re managing multiple accounts or sensitive projects, antidetect browsers can help mask your digital fingerprint and reduce exposure to malware that tracks browser behavior. ### The Bigger Picture This attack is part of a growing trend. Supply chain attacks are becoming more sophisticated, targeting not just code but the infrastructure around it. The move to Go shows that attackers are expanding their reach. For U.S. professionals, this is especially relevant. Many companies rely on open-source packages for everything from web apps to cloud services. A single compromised package can cascade into a major breach. ### What to Watch For Keep an eye on your npm and Go dependencies. If you see unusual activity in your GitHub Actions logs, investigate immediately. The malware family behind this attack is known for persistence, so early detection is key. Remember, security isn’t a one-time fix. It’s an ongoing process. Stay informed, update your tools, and always question what you’re adding to your projects. This attack is a wake-up call. Don’t let your guard down.