Miasma Malware Expands Supply Chain Attack to npm, GitHub Actions, and Go

What Happened

Cybersecurity researchers have confirmed a new wave of the Miasma supply chain campaign — linked to the same threat actor behind the Mini Shai-Hulud and Hades malware families — that has compromised a fresh set of npm packages and embedded malicious payloads inside GitHub Actions workflows. The campaign has since propagated into the Go module ecosystem, widening its blast radius well beyond the JavaScript community.

Why It Matters

Supply chain attacks are among the most dangerous vectors in modern software development because they exploit trust. When you install a compromised npm package or reference a poisoned GitHub Action, the attacker's code executes inside your environment — often with CI/CD-level privileges, access to repository secrets, and cloud provider credentials.

The Miasma family's jump to GitHub Actions and Go makes this particularly serious:

• GitHub Actions run inside your CI pipeline with access to GITHUB_TOKEN, stored secrets, and often AWS, GCP, or Azure credentials. A malicious action can exfiltrate all of this silently on every push.
• npm is the world's largest package registry. Transitive dependencies mean you may be pulling in a compromised package without any direct relationship to it.
• Go module propagation signals the threat actor is actively porting attack infrastructure to new ecosystems — this campaign is expanding, not contracting.

This is not a theoretical risk. Active, confirmed real-world compromise is in progress.

What to Do

Act before your next CI run.

1. Pin your GitHub Actions to commit SHAs. Replace mutable tags like uses: actions/checkout@v4 with the full SHA: uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683. This prevents silent tag-moving attacks where a trusted action is swapped out from under you.

2. Run npm audit now. For deeper supply chain analysis beyond known CVEs — including typosquatting and dependency confusion — run npx socket scan against your project.

3. Cross-reference Miasma IOCs. The Hacker News report includes indicators of compromise. Verify your installed packages and workflow dependencies against them before ruling out exposure.

4. Rotate CI/CD secrets if exposure is possible. This means GitHub token scopes, cloud provider keys, and any secrets accessible from your pipeline environment. The cost of rotation is low; the cost of a leaked deploy key is not.

5. Verify Go module integrity. Run go mod verify to detect any tampering against your go.sum lockfile. Flag any checksum mismatches immediately.

6. Enable GitHub's Dependency Review Action. It will flag newly introduced suspicious or vulnerable packages on every pull request — a lightweight guard that catches problems before they merge.

The window between a supply chain compromise and detection is typically measured in days to weeks. Treat your CI environment as potentially compromised until these checks are complete.