npm Malware Variant Infects 408 GitHub Repositories via Stolen Developer Account

2026-06-25 16:30

Woofun AI reports that a new variant of the Shai-Hulud / Miasma / Hades malware has emerged in the npm ecosystem, linked to the compromised developer account czirker. The attack exploits pre-configured binding.gyp files to execute malicious code during the npm install process.

Twenty-three software packages are affected, with the leo-logger package recording up to 3,140 weekly downloads. Security teams have identified 408 infected GitHub repositories containing stolen credentials. Risks include theft of GitHub and npm tokens, AWS/GCP/Azure cloud credentials, local environment data leakage, and misuse of GitHub Actions workflows. Mitigation requires checking package history, removing affected packages, rotating all service keys, and enabling two-factor authentication.

Disclaimer: Views are the author's own and do not represent the platform. Do not reproduce without permission. Content is for reference only, not investment advice. Trade at your own risk.

Trending News

Bitcoin Trades 19% Below Mean as $205M Daily Losses Signal Deep Bear Market

Grayscale Flags $871M Revenue Gap as CLARITY Act Could Unlock Undervalued Protocols

Bitcoin Realized Losses Hit $205M Daily as $60K Floor Emerges

Bitcoin Faces $55,000 Drop Risk as 200-Week Average Signals Bearish Shift

Bitcoin Faces $1.6B Long Liquidation Risk If Price Crashes Below $58,000

Memecore M Token Crashes Over 80% Amid Insider Manipulation Allegations

Warsh Hawkish Stance Triggers 29% Gold Drop and Bitcoin Slide Below $60,000

Ethereum Foundation Cuts 54 Staff as Solana Surpasses Developer Count

AAA Launches Legal Layer for Agentic Commerce Amid $15 Trillion Market Surge

Reddit Rally Sparks 42% WEN Surge and 1,450% Solana Meme Coin Spike