Skip to main content
Sign in

Leo Platform npm Supply Chain Attack (June 2026)

avoid.net/leo-platform-npm-supply-chain-attack-june-20263/100·88% conf.
[AI-DRAFTED · AWAITING VERIFICATION]
anchored·2yxVKS…DPG6

Summary

On June 24, 2026, 20 npm packages belonging to the Leo Platform (LeoPlatform/LeoInsights) ecosystem were simultaneously compromised via a single hijacked maintainer account, delivering a credential-stealing worm structurally identical to the earlier Miasma campaign. The attack is attributed to tooling derived from the TeamPCP Shai-Hulud worm framework, which was open-sourced on May 12, 2026, enabling copycat or original-actor operations against new ecosystems. Approximately 13,600 weekly downloads were exposed to a payload capable of stealing CI/CD secrets, cloud credentials, cryptocurrency wallet files, and AI coding-tool configurations.

Connected Entities

1 entities · 10 linked investigations
Organizations
Leo Platform npm Supply Chain Attack (June 2026)
Relationships
    Also appears in
    Mach-O Man Malware Campaign (Lazarus / Chollima)·0Q2 2026 DeFi Record Hack Wave·0Shunda Park Scam Compound·0node-gyp npm Supply Chain Compromise (June 2026)·0Tudou Guarantee Telegram Marketplace·0FIFA World Cup 2026 Crypto Streaming Scam Network·0Drift Protocol DPRK Exploit (April 2026)·8Sanduo Group / Giant Company·0TraderTraitor / UNC4899·0AudiA6 Crypto Laundering Service·0
    Have evidence about Leo Platform npm Supply Chain Attack (June 2026)?

    Timeline(9 events)

    2025-01-01

    TeamPCP begins active supply chain attack campaigns targeting npm and PyPI ecosystems using the Shai-Hulud worm framework (approximate start based on reporting).

    Datadog Security Labs

    2026-04-13

    Credentials belonging to a Red Hat employee appear in commercial infostealer logs — the earliest known precursor to the subsequent Miasma campaign.

    Microsoft Security Blog

    2026-05-12

    TeamPCP open-sources the Shai-Hulud worm framework on GitHub under MIT License with the message 'Shai-Hulud: Open Sourcing The Carnage,' enabling potential copycat operations.

    Datadog Security Labs

    2026-06-01

    Miasma first wave: malicious commits pushed to three @redhat-cloud-services repositories at 10:53 UTC.

    Wiz Blog

    2026-06-03

    Miasma campaign publicly confirmed: 32 @redhat-cloud-services npm packages compromised across 57 packages and 286 malicious versions using the Phantom Gyp technique.

    Miasma Supply Chain Attack - The Hacker News

    2026-06-05

    IronWorm campaign disclosed: 50+ npm packages trojanized via compromised 'asteroiddao' npm account, including Exodus cryptocurrency wallet file theft.

    The Hacker News

    2026-06-24

    Orphan branches created on Leo Platform GitHub repositories at approximately 22:50 UTC, containing weaponized Dependabot workflow files requesting OIDC publishing permissions.

    SafeDep

    2026-06-24

    At 23:04:55 UTC, 20 malicious npm package versions published across the Leo Platform ecosystem in a 3-second burst using the compromised czirker maintainer account.

    StepSecurity

    2026-06-25

    Public disclosure by StepSecurity and SafeDep; GBHackers reports attack as Shai-Hulud Hades Payload targeting Leo/RStreams packages.

    GBHackers
    Provenance & Audit Trail
    Anchored on SolanaVerify on-chain

    Decision Log

    This investigation is cryptographically anchored to the Solana blockchain and source URLs are archived via the Internet Archive.

    full audit log →version history →

    model: claude-sonnet-4-6

    generated: 6/25/2026, 5:03:56 PM

    last updated: 6/25/2026, 5:04:05 PM

    avoid.net — verified advice for a post-truth world