Verify a decision

{"actor":"system:backfill","investigation_id":"8655eeea-1d2f-4d0d-b554-e117ba889570","kind":"publish","page_slug":"leo-platform-npm-supply-chain-attack-june-2026","published_at":"2026-06-25T17:04:05.755Z","sequence_num":1,"snapshot":{"content_type":"investigation","entity_name":"Leo Platform npm Supply Chain Attack (June 2026)","sections":[{"content":"At 23:04:55 UTC on June 24, 2026, 20 npm packages under the LeoPlatform/LeoInsights organization received malicious version updates in a coordinated burst spanning less than three seconds. The packages together accumulated approximately 13,600 weekly downloads at the time of compromise. The sole npm account present as a maintainer on all 20 affected packages was czirker (attributed to Clint Zirker); researchers at StepSecurity and SafeDep assessed that the attacker obtained this account's npm and GitHub tokens and used them to execute the mass publish and repository-level operations. No CVE had been assigned at initial publication time. The attack was publicly disclosed by StepSecurity and SafeDep on or around June 25, 2026.","heading":"Attack Overview","severity":"critical","sources":[{"credibility":2,"name":"Mass npm Supply Chain Attack: 20 Leo Platform Packages Compromised - StepSecurity","type":"research","url":"https://www.stepsecurity.io/blog/mass-npm-supply-chain-attack-20-leo-platform-packages-compromised"},{"credibility":2,"name":"Miasma Worm Infects Multiple LeoPlatform npm Packages - SafeDep","type":"research","url":"https://safedep.io/miasma-worm-hits-leoplatform-20-npm-packages/"}]},{"content":"The following 20 packages received malicious versions on June 24, 2026: leo-logger (3,140 weekly downloads), leo-sdk (1,830), leo-aws (1,730), leo-config (1,709), leo-streams (1,497), serverless-leo (3.0.14), leo-connector-mongo (3.0.8), and 13 additional Leo Platform packages. All malicious versions carried an identical payload binary after decryption, distinguished only by per-package ROT-N cipher values and AES-128-GCM keys used in the obfuscation layer. GBHackers additionally reported the attack as affecting the broader Leo/RStreams ecosystem, suggesting the compromise extended to related RStreams packages.","heading":"Affected Packages","severity":"critical","sources":[{"credibility":2,"name":"Mass npm Supply Chain Attack: 20 Leo Platform Packages Compromised - StepSecurity","type":"research","url":"https://www.stepsecurity.io/blog/mass-npm-supply-chain-attack-20-leo-platform-packages-compromised"},{"credibility":2,"name":"Shai-Hulud Hades Payload Hits 20 Leo/RStreams npm Packages - GBHackers","type":"news_article","url":"https://gbhackers.com/20-leo-rstreams-packages/"},{"credibility":2,"name":"Miasma Worm Infects Multiple LeoPlatform npm Packages - SafeDep","type":"research","url":"https://safedep.io/miasma-worm-hits-leoplatform-20-npm-packages/"}]},{"content":"The attacker employed a technique researchers named 'Phantom Gyp': a 157-byte binding.gyp file was added to each package, containing the node-gyp command expansion string '<!(node index.js > /dev/null 2>&1 && echo stub.c)>'. This triggers arbitrary JavaScript execution during npm install via node-gyp's command substitution, bypassing security tooling that monitors only lifecycle script fields (preinstall, postinstall, install) in package.json. The technique was first documented in the original Miasma campaign on June 3, 2026, and reused identically in the Leo Platform attack. The index.js file in each compromised package was replaced with an approximately 5.2 MB single-line obfuscated payload. A bun dependency at version '^1.3.13' was also added as a runtime fallback for payload execution.","heading":"Attack Vector: Phantom Gyp Technique","severity":"critical","sources":[{"credibility":2,"name":"Miasma npm Supply Chain Attack: Self-Spreading Worm via Phantom Gyp - StepSecurity","type":"research","url":"https://www.stepsecurity.io/blog/binding-gyp-npm-supply-chain-attack-spreads-like-worm"},{"credibility":2,"name":"Miasma Worm Infects Multiple LeoPlatform npm Packages - SafeDep","type":"research","url":"https://safedep.io/miasma-worm-hits-leoplatform-20-npm-packages/"}]},{"content":"After unpacking the three-layer obfuscation (ROT-N cipher, AES-128-GCM encryption, obfuscator.io), all 20 packages yield an identical binary: a Bun-based credential-stealing worm. In developer workstation contexts, the payload harvests SSH keys, CLI credentials, browser-stored credentials, cryptocurrency wallet files (including Exodus wallet data), and configuration files for AI coding tools including Claude Code, Cursor, and VS Code. In CI/CD pipeline contexts (e.g., GitHub Actions), the malware reads runner process memory via /proc/{pid}/mem to extract in-flight secrets, escalates to passwordless sudo on GitHub-hosted runners, and scrapes cloud credentials for AWS (IAM keys, IMDS, Secrets Manager, SSM Parameter Store), GCP, and Azure. It also targets credentials for PyPI, RubyGems, Kubernetes, HashiCorp Vault, 1Password, and JFrog Artifactory. Once an npm token is harvested, the worm uses the npm bypass_2fa API mechanism to publish malicious versions of any additional package the victim has publish rights to, enabling self-propagation without triggering two-factor authentication. Exfiltrated data was staged to repositories under the GitHub account liuende501, which hosted 236 repositories used as credential dead-drops. Each infection created a new repository (e.g., nemean-hydra-34343) and uploaded stolen credentials as encrypted JSON files.","heading":"Payload Capabilities and Credential Theft","severity":"critical","sources":[{"credibility":2,"name":"Miasma Worm Infects Multiple LeoPlatform npm Packages - SafeDep","type":"research","url":"https://safedep.io/miasma-worm-hits-leoplatform-20-npm-packages/"},{"credibility":2,"name":"Mass npm Supply Chain Attack: 20 Leo Platform Packages Compromised - StepSecurity","type":"research","url":"https://www.stepsecurity.io/blog/mass-npm-supply-chain-attack-20-leo-platform-packages-compromised"},{"credibility":2,"name":"IronWorm and New Miasma Worm Variant Hit npm in Supply Chain Attacks - The Hacker News","type":"news_article","url":"https://thehackernews.com/2026/06/ironworm-and-new-miasma-worm-variant.html"}]},{"content":"Alongside the npm package compromise, the attacker used the hijacked GitHub token to create orphan branches in Leo Platform repositories at approximately 22:50 UTC on June 24, 2026 — roughly 15 minutes before the npm package publishes. These branches contained weaponized 'Dependabot Updates' workflow files requesting id-token: write permissions, which enable OIDC-based npm publishing without requiring a direct npm token in future attacks. This mirrors the technique documented in the earlier Miasma/Red Hat campaign, where a compromised employee's GitHub account was used to push orphan commits directly into RedHatInsights repositories. The technique enables the attacker to obtain valid SLSA provenance attestations for malicious packages, significantly complicating supply chain verification.","heading":"GitHub Repository Poisoning","severity":"high","sources":[{"credibility":2,"name":"Miasma Worm Infects Multiple LeoPlatform npm Packages - SafeDep","type":"research","url":"https://safedep.io/miasma-worm-hits-leoplatform-20-npm-packages/"},{"credibility":2,"name":"Miasma: Supply Chain Attack Targeting RedHat npm Packages - Wiz Blog","type":"research","url":"https://www.wiz.io/blog/miasma-supply-chain-attack-targeting-redhat-npm-packages"}]},{"content":"Researchers at StepSecurity, SafeDep, Wiz, and Datadog Security Labs assess with moderate-to-high confidence that the Leo Platform attack uses tooling derived from the Shai-Hulud worm framework, attributed to a threat cluster tracked as TeamPCP (also reported under aliases PCPcat, DeadCatx3, ShellForce, and CipherForce). The payload binary SHA256 hashes (Bun bootstrapper: ceff7c51d70832...; worm payload: 9f93d77d328338...) match those from the June 3, 2026 Miasma campaign that compromised 32 @redhat-cloud-services packages. TeamPCP open-sourced the Shai-Hulud framework on GitHub under an MIT License on May 12, 2026, with the message 'Shai-Hulud: Open Sourcing The Carnage' and instructions to 'Change keys and C2 as needed.' This open-sourcing event opens the door for copycat actors, and researchers at Wiz and Microsoft note that the possibility of a copycat actor leveraging the publicly available tooling cannot be ruled out. A geographic killswitch in the codebase exits execution if the system locale is Russian (ru), a pattern consistent with CIS-based threat actors. The C2 domain git-tanstack[.]com was previously associated with TeamPCP operations. The Leo Platform attack's 3-second publish window (versus a multi-hour window in earlier campaigns) suggests improved automation tooling.","heading":"Threat Actor Attribution: TeamPCP and Shai-Hulud Framework","severity":"high","sources":[{"credibility":2,"name":"Shai-Hulud Goes Open Source - Datadog Security Labs","type":"research","url":"https://securitylabs.datadoghq.com/articles/shai-hulud-open-source-framework-static-analysis/"},{"credibility":2,"name":"Miasma: Supply Chain Attack Targeting RedHat npm Packages - Wiz Blog","type":"research","url":"https://www.wiz.io/blog/miasma-supply-chain-attack-targeting-redhat-npm-packages"},{"credibility":1,"name":"Preinstall to persistence: Inside the Red Hat npm Miasma credential-stealing campaign - Microsoft Security Blog","type":"news_article","url":"https://www.microsoft.com/en-us/security/blog/2026/06/02/preinstall-persistence-inside-red-hat-npm-miasma-credential-stealing-campaign/"},{"credibility":2,"name":"TeamPCP Mini Shai-Hulud Supply Chain Analysis - StepSecurity","type":"research","url":"https://www.stepsecurity.io/blog/mini-shai-hulud-is-back-a-self-spreading-supply-chain-attack-hits-the-npm-ecosystem"}]},{"content":"The Leo Platform attack is one of multiple npm supply chain incidents in the first half of 2026 using Shai-Hulud-derived tooling. Prior documented waves include: a TanStack campaign (attributed to TeamPCP, documented by StepSecurity and Snyk); a @redhat-cloud-services campaign known as Miasma (June 3, 2026, 32 packages, ~80,000-117,000 weekly downloads, documented by Microsoft, Wiz, Orca Security, and Red Hat via RHSB-2026-006); an @antv namespace compromise (documented by Wiz); SAP npm package targeting (documented by Upwind); and the concurrent IronWorm campaign (June 5, 2026, 50+ packages, compromised via the 'asteroiddao' npm account, targeting Exodus cryptocurrency wallets alongside other credentials). The Cloud Security Alliance assessed that the Leo Platform attack occurred 21 days after Miasma, with the same actor or toolset targeting a new ecosystem. Palo Alto Networks Unit 42 tracked the broader npm threat landscape throughout 2026, noting a surge in supply chain attack activity.","heading":"Broader Campaign Context","severity":"high","sources":[{"credibility":2,"name":"npm Supply Chain Under Siege: TeamPCP, Miasma, and npm v12 - CSA Lab Space","type":"research","url":"https://labs.cloudsecurityalliance.org/research/csa-whitepaper-npm-ai-toolchain-supply-chain-security-v1-0-c/"},{"credibility":1,"name":"RHSB-2026-006 Supply chain compromise of @redhat-cloud-services npm packages - Red Hat Customer Portal","type":"regulatory","url":"https://access.redhat.com/security/vulnerabilities/RHSB-2026-006"},{"credibility":2,"name":"IronWorm and New Miasma Worm Variant Hit npm in Supply Chain Attacks - The Hacker News","type":"news_article","url":"https://thehackernews.com/2026/06/ironworm-and-new-miasma-worm-variant.html"},{"credibility":2,"name":"The npm Threat Landscape: Attack Surface and Mitigations - Palo Alto Networks Unit 42","type":"research","url":"https://unit42.paloaltonetworks.com/monitoring-npm-supply-chain-attacks/"},{"credibility":2,"name":"The Worm That Keeps on Digging: TeamPCP Hits @antv - Wiz Blog","type":"research","url":"https://www.wiz.io/blog/mini-shai-hulud-teampcp-hits-antv-supply-chain"}]},{"content":"Researchers identified a detection pattern for Phantom Gyp infections: any npm package combining a recently added binding.gyp file using node command expansion syntax, a new bun dependency entry, and a replacement index.js file in the multi-megabyte range should be treated as potentially infected. Specific IOCs include the Bun bootstrapper SHA256 ceff7c51d70832... and worm payload SHA256 9f93d77d328338.... The GitHub exfiltration account liuende501 (236 repositories) should be blocked as a known dead-drop. The C2 domain git-tanstack[.]com is associated with prior TeamPCP operations. Organizations consuming Leo Platform packages are advised to audit their environments for npm and GitHub token exposure, rotate any credentials that may have been present in environments where affected package versions were installed, and upgrade to clean package versions published after June 24, 2026 at 23:04:55 UTC.","heading":"Detection Indicators and Remediation","severity":"high","sources":[{"credibility":2,"name":"Miasma Worm Infects Multiple LeoPlatform npm Packages - SafeDep","type":"research","url":"https://safedep.io/miasma-worm-hits-leoplatform-20-npm-packages/"},{"credibility":2,"name":"Mass npm Supply Chain Attack: 20 Leo Platform Packages Compromised - StepSecurity","type":"research","url":"https://www.stepsecurity.io/blog/mass-npm-supply-chain-attack-20-leo-platform-packages-compromised"},{"credibility":2,"name":"Shai-Hulud Goes Open Source - Datadog Security Labs","type":"research","url":"https://securitylabs.datadoghq.com/articles/shai-hulud-open-source-framework-static-analysis/"}]}],"sources_used":[{"credibility":2,"name":"Mass npm Supply Chain Attack: 20 Leo Platform Packages Compromised - StepSecurity","type":"research","url":"https://www.stepsecurity.io/blog/mass-npm-supply-chain-attack-20-leo-platform-packages-compromised"},{"credibility":2,"name":"Miasma Worm Infects Multiple LeoPlatform npm Packages - SafeDep","type":"research","url":"https://safedep.io/miasma-worm-hits-leoplatform-20-npm-packages/"},{"credibility":2,"name":"Shai-Hulud Hades Payload Hits 20 Leo/RStreams npm Packages - GBHackers","type":"news_article","url":"https://gbhackers.com/20-leo-rstreams-packages/"},{"credibility":2,"name":"Miasma: Supply Chain Attack Targeting RedHat npm Packages - Wiz Blog","type":"research","url":"https://www.wiz.io/blog/miasma-supply-chain-attack-targeting-redhat-npm-packages"},{"credibility":1,"name":"Preinstall to persistence: Inside the Red Hat npm Miasma credential-stealing campaign - Microsoft Security Blog","type":"news_article","url":"https://www.microsoft.com/en-us/security/blog/2026/06/02/preinstall-persistence-inside-red-hat-npm-miasma-credential-stealing-campaign/"},{"credibility":1,"name":"RHSB-2026-006 Supply chain compromise of @redhat-cloud-services npm packages - Red Hat Customer Portal","type":"regulatory","url":"https://access.redhat.com/security/vulnerabilities/RHSB-2026-006"},{"credibility":2,"name":"IronWorm and New Miasma Worm Variant Hit npm in Supply Chain Attacks - The Hacker News","type":"news_article","url":"https://thehackernews.com/2026/06/ironworm-and-new-miasma-worm-variant.html"},{"credibility":2,"name":"Miasma Supply Chain Attack Compromises Red Hat npm Packages - The Hacker News","type":"news_article","url":"https://thehackernews.com/2026/06/miasma-supply-chain-attack-compromises.html"},{"credibility":2,"name":"Shai-Hulud Goes Open Source - Datadog Security Labs","type":"research","url":"https://securitylabs.datadoghq.com/articles/shai-hulud-open-source-framework-static-analysis/"},{"credibility":2,"name":"Miasma npm Supply Chain Attack: Self-Spreading Worm via Phantom Gyp - StepSecurity","type":"research","url":"https://www.stepsecurity.io/blog/binding-gyp-npm-supply-chain-attack-spreads-like-worm"},{"credibility":2,"name":"TeamPCP Mini Shai-Hulud Supply Chain Analysis - StepSecurity","type":"research","url":"https://www.stepsecurity.io/blog/mini-shai-hulud-is-back-a-self-spreading-supply-chain-attack-hits-the-npm-ecosystem"},{"credibility":2,"name":"npm Supply Chain Under Siege: TeamPCP, Miasma, and npm v12 - CSA Lab Space","type":"research","url":"https://labs.cloudsecurityalliance.org/research/csa-whitepaper-npm-ai-toolchain-supply-chain-security-v1-0-c/"},{"credibility":2,"name":"The npm Threat Landscape: Attack Surface and Mitigations - Palo Alto Networks Unit 42","type":"research","url":"https://unit42.paloaltonetworks.com/monitoring-npm-supply-chain-attacks/"},{"credibility":2,"name":"Red Hat npm Packages Compromised in Supply-Chain Attack - Orca Security","type":"research","url":"https://orca.security/resources/blog/red-hat-npm-supply-chain-attack/"},{"credibility":2,"name":"The Worm That Keeps on Digging: TeamPCP Hits @antv - Wiz Blog","type":"research","url":"https://www.wiz.io/blog/mini-shai-hulud-teampcp-hits-antv-supply-chain"}],"summary":"On June 24, 2026, 20 npm packages belonging to the Leo Platform (LeoPlatform/LeoInsights) ecosystem were simultaneously compromised via a single hijacked maintainer account, delivering a credential-stealing worm structurally identical to the earlier Miasma campaign. The attack is attributed to tooling derived from the TeamPCP Shai-Hulud worm framework, which was open-sourced on May 12, 2026, enabling copycat or original-actor operations against new ecosystems. Approximately 13,600 weekly downloads were exposed to a payload capable of stealing CI/CD secrets, cloud credentials, cryptocurrency wallet files, and AI coding-tool configurations.","timeline":[{"date":"2025-01-01","event":"TeamPCP begins active supply chain attack campaigns targeting npm and PyPI ecosystems using the Shai-Hulud worm framework (approximate start based on reporting).","source":"Datadog Security Labs","source_url":"https://securitylabs.datadoghq.com/articles/shai-hulud-open-source-framework-static-analysis/"},{"date":"2026-04-13","event":"Credentials belonging to a Red Hat employee appear in commercial infostealer logs — the earliest known precursor to the subsequent Miasma campaign.","source":"Microsoft Security Blog","source_url":"https://www.microsoft.com/en-us/security/blog/2026/06/02/preinstall-persistence-inside-red-hat-npm-miasma-credential-stealing-campaign/"},{"date":"2026-05-12","event":"TeamPCP open-sources the Shai-Hulud worm framework on GitHub under MIT License with the message 'Shai-Hulud: Open Sourcing The Carnage,' enabling potential copycat operations.","source":"Datadog Security Labs","source_url":"https://securitylabs.datadoghq.com/articles/shai-hulud-open-source-framework-static-analysis/"},{"date":"2026-06-01","event":"Miasma first wave: malicious commits pushed to three @redhat-cloud-services repositories at 10:53 UTC.","source":"Wiz Blog","source_url":"https://www.wiz.io/blog/miasma-supply-chain-attack-targeting-redhat-npm-packages"},{"date":"2026-06-03","event":"Miasma campaign publicly confirmed: 32 @redhat-cloud-services npm packages compromised across 57 packages and 286 malicious versions using the Phantom Gyp technique.","source":"Miasma Supply Chain Attack - The Hacker News","source_url":"https://thehackernews.com/2026/06/miasma-supply-chain-attack-compromises.html"},{"date":"2026-06-05","event":"IronWorm campaign disclosed: 50+ npm packages trojanized via compromised 'asteroiddao' npm account, including Exodus cryptocurrency wallet file theft.","source":"The Hacker News","source_url":"https://thehackernews.com/2026/06/ironworm-and-new-miasma-worm-variant.html"},{"date":"2026-06-24","event":"Orphan branches created on Leo Platform GitHub repositories at approximately 22:50 UTC, containing weaponized Dependabot workflow files requesting OIDC publishing permissions.","source":"SafeDep","source_url":"https://safedep.io/miasma-worm-hits-leoplatform-20-npm-packages/"},{"date":"2026-06-24","event":"At 23:04:55 UTC, 20 malicious npm package versions published across the Leo Platform ecosystem in a 3-second burst using the compromised czirker maintainer account.","source":"StepSecurity","source_url":"https://www.stepsecurity.io/blog/mass-npm-supply-chain-attack-20-leo-platform-packages-compromised"},{"date":"2026-06-25","event":"Public disclosure by StepSecurity and SafeDep; GBHackers reports attack as Shai-Hulud Hades Payload targeting Leo/RStreams packages.","source":"GBHackers","source_url":"https://gbhackers.com/20-leo-rstreams-packages/"}]},"v":1}