Hades

The information is then uploaded to a public GitHub repository with description "Alright Lets See If This Works."

It's suspected that an npm developer account associated with the LeoPlatform ... was breached, likely via leaked credentials, to enable the attack, allowing the threat actors to leverage an npm token belonging to the maintainer to push trojanized versions within a six-second window.

This appears to be a continuation of the activity we reported yesterday involving LeoPlatform and RStreams npm packages, GitHub Actions workflow abuse, AI-agent persistence, and the Verana Go module/source-repository compromise. The new ImmobiliareLabs activity follows the same broader campaign pattern: compromise trusted developer infrastructure, publish malicious package versions...

The malicious releases were published in a tight window on June 26, 2026... Multiple historical versions were republished with malicious artifacts, suggesting the threat actor attempted to maximize exposure across users pinned to older major versions.

~/.config/systemd/user/gh-token-monitor.service ~/Library/LaunchAgents/com.user.gh-token-monitor.plist ~/.local/share/updater/update.py ~/.local/share/updater/ update-monitor.service

When npm sees a package with binding.gyp and no explicit install script, it falls back to running node-gyp rebuild. During that process, node-gyp expands shell commands embedded in <!(...) expressions. Attackers can abuse this behavior to execute the payload during package installation... "sources" : [ "<!(node index.js > /dev/null 2>&1 && echo stub.c)" ]

The malicious npm packages ... incorporates a binding.gyp file to execute arbitrary code during installation, resulting in the launch of a JavaScript loader that downloads and installs the Bun runtime if not present, and then initiate the stealer payload.

~/.config/systemd/user/gh-token-monitor.service ~/Library/LaunchAgents/com.user.gh-token-monitor.plist ~/.local/share/updater/update.py ~/.local/share/updater/ update-monitor.service

It's suspected that an npm developer account associated with the LeoPlatform ... was breached, likely via leaked credentials, to enable the attack, allowing the threat actors to leverage an npm token belonging to the maintainer to push trojanized versions within a six-second window.

GitHub dead-drop exfiltration by creating repositories under a usable GitHub token and committing encrypted result files under results/ .

...or a LaunchAgent on macOS...

It sets itself up as a systemd service on Linux...

npm, PyPI, RubyGems, JFrog/Artifactory, GitHub Actions, and AI-tool persistence logic. gh-token-monitor dead-man switch behavior. GitHub Actions secret-dump workflow logic using VARIABLE_STORE and format-results.txt .

~/.config/systemd/user/gh-token-monitor.service ~/Library/LaunchAgents/com.user.gh-token-monitor.plist ~/.local/share/updater/update.py ~/.local/share/updater/ update-monitor.service

It's suspected that an npm developer account associated with the LeoPlatform ... was breached, likely via leaked credentials, to enable the attack, allowing the threat actors to leverage an npm token belonging to the maintainer to push trojanized versions within a six-second window.

...or a LaunchAgent on macOS...

It sets itself up as a systemd service on Linux...

Finally, the file executes obfuscated JavaScript. It uses a character-code array and ROT-style substitution to reconstruct the payload.

The payload still contains Anthropic camouflage: api.anthropic.com v1/api As in the previous Miasma analysis, this appears to be use of a legitimate-looking API host/path as camouflage rather than evidence of a compromised Anthropic service.

It's suspected that an npm developer account associated with the LeoPlatform ... was breached, likely via leaked credentials, to enable the attack, allowing the threat actors to leverage an npm token belonging to the maintainer to push trojanized versions within a six-second window.

The comment contains fake instructions to an LLM... designed to trigger LLM safety refusals and disrupt AI-assisted malware triage before the scanner reaches the obfuscated Hades payload

npm, PyPI, RubyGems, JFrog/Artifactory, GitHub Actions, and AI-tool persistence logic. gh-token-monitor dead-man switch behavior. GitHub Actions secret-dump workflow logic using VARIABLE_STORE and format-results.txt .

The code does not use SEED_PAT unconditionally. It first checks whether the GitHub Actions GITHUB_REPOSITORY environment value contains Seeder. Only in that case does it read SEED_PAT and add that token as a GitHub sender.

the payload begins collecting credentials stored across files, environment variables, shell history, GitHub CLI tokens, cloud access keys, and CI/CD pipeline secrets.

It retains the familiar behavior: Broad credential collection from files, environment variables, shell history, GitHub CLI tokens, cloud credentials, package-manager tokens, and CI/CD environments.

It retains the familiar behavior: Broad credential collection from files, environment variables, shell history, GitHub CLI tokens, cloud credentials, package-manager tokens, and CI/CD environments.

It retains the familiar behavior: Broad credential collection from files, environment variables, shell history, GitHub CLI tokens, cloud credentials, package-manager tokens, and CI/CD environments.

npm, PyPI, RubyGems, JFrog/Artifactory, GitHub Actions, and AI-tool persistence logic. gh-token-monitor dead-man switch behavior. GitHub Actions secret-dump workflow logic using VARIABLE_STORE and format-results.txt .

The end goal of the campaign, as before, is to harvest developer or maintainer credentials and weaponize the stolen data to spread across package registries, repositories, and trusted developer workflows.

These libraries tend to show up close to cloud infrastructure, event pipelines, and CI/CD systems, exactly the places where npm installation can run with access to AWS credentials, GitHub tokens, npm publishing credentials, and application secrets.

The comment contains fake instructions to an LLM... designed to trigger LLM safety refusals and disrupt AI-assisted malware triage before the scanner reaches the obfuscated Hades payload

The Register has been covering the story of the Shai-Hulud JavaScript worm for months. We introduced this self-propagating worm in September.

SSH lateral movement using ai_setup.sh and ai_init.js .

SSH lateral movement using ai_setup.sh and ai_init.js .

The malware ... drops a workflow named "Run Copilot" to capture CI/CD environment secrets from the runner memory.

The token relay marker has also witnessed a change in the latest iteration ... the current artifact uses "RevokeAndItGoesKaboom," a string that has been used as GitHub dead drop resolver ...

containing a multi-stage dropper with an infostealer logic

... polls GitHub every hour for commits matching the string "firedalazer" to retrieve and execute the Hades variant of the malware.

GitHub dead-drop exfiltration by creating repositories under a usable GitHub token and committing encrypted result files under results/ ... If a usable token is available, it can create a repository under the token owner and write result files under: results/results-<timestamp>-<counter>.json

First, the malware uploads the stolen credentials and API keys to GitHub using the string “Alright Lets See If This Works”