galenyuan.eth (@galenyuan) “锁依赖版本！锁依赖版本！锁依赖版本！” — TopicDigg

🚨 SlowMist TI Alert 🚨 A new Shai-Hulud / Miasma / Hades npm malware variant linked to the compromised npm developer account czirker, affecting the npm ecosystem. The campaign uses a preconfigured binding.gyp file to execute during npm install; reported scope includes 23 affected packages, with leo-logger noted at 3,140 weekly npm downloads. As of the tweet publication time, 408 infected GitHub repositories containing stolen credentials had already been observed. Potential attacker actions include GitHub token theft, npm token theft, AWS / GCP / Azure credential theft, local environment data exfiltration, malicious GitHub workflow abuse, and further npm supply-chain propagation. Security teams should immediately check lockfiles and package histories for affected versions, downgrade or remove impacted packages, rotate npm, GitHub, cloud, CI/CD, and application secrets, enforce 2FA. Thanks to @OX__Security for the excellent analysis. As always, stay vigilant! The following URL can be used to track the latest situation: