TechFlow reports that on June 25, SlowMist released threat intelligence indicating that novel npm malware variants—Shai-Hulud, Miasma, and Hades—linked to the compromised npm developer account “czirker” are impacting the npm ecosystem. This campaign triggers during npm install execution via a preconfigured binding.gyp file. It has been confirmed to affect 23 packages, including leo-logger, which sees approximately 3,140 weekly downloads. As of the report’s publication, 408 GitHub repositories have been identified as infected due to stolen credentials.
Potential attacker actions include: stealing GitHub and npm tokens; exfiltrating AWS/GCP/Azure cloud credentials; harvesting local environment data; abusing GitHub workflows; and further propagating npm supply-chain attacks. SlowMist advises security teams to immediately inspect lock files and package historical versions, downgrade or remove affected packages, rotate npm, GitHub, cloud service, CI/CD, and application keys, and enforce two-factor authentication (2FA).
