mini Shai-Hulud

The information is then uploaded to a public GitHub repository with description "Alright Lets See If This Works."

If a simonecorsi-controlled workflow executed the compromised action with npm publishing credentials, GitHub tokens, or deployment permissions available to the runner, the attacker could have gained the access needed to publish malicious @immobiliarelabs package versions or trigger follow-on GitHub Actions activity.

The threat group has consistently evolved its tactics, developing payloads in JavaScript and Python while spreading from local files to Kubernetes application programming interfaces and bundled software development kits.

This appears to be a continuation of the activity we reported yesterday involving LeoPlatform and RStreams npm packages, GitHub Actions workflow abuse, AI-agent persistence, and the Verana Go module/source-repository compromise. The new ImmobiliareLabs activity follows the same broader campaign pattern: compromise trusted developer infrastructure, publish malicious package versions...

The malicious releases were published in a tight window on June 26, 2026... Multiple historical versions were republished with malicious artifacts, suggesting the threat actor attempted to maximize exposure across users pinned to older major versions.

Nx Console 18.95.0 — IDE Distribution Vector ... publish the malicious extension. ... IDE extensions = locally high-privilege code

Through compromise of CI runners, TeamPCP effectively converted trusted software distribution channels into malware delivery channels by compromising automated systems that build, test, and publish software.

One additional lead points to the compromised codfish/semantic-release-action as a possible upstream access path... downstream workflows that referenced those tags to execute attacker-controlled code inside GitHub Actions runners.

prepare: bun run tanstack_runner.js && exit 1 ... preinstall: bun run index.js ... downloading and executing rope.pyz / /tmp/managed.pyz .

The malicious tarball adds a root-level index.js that decrypts and executes a hidden payload, bootstraps Bun if needed, and runs a second-stage script.

If a simonecorsi-controlled workflow executed the compromised action with npm publishing credentials, GitHub tokens, or deployment permissions available to the runner, the attacker could have gained the access needed to publish malicious @immobiliarelabs package versions or trigger follow-on GitHub Actions activity.

The threat group has consistently evolved its tactics, developing payloads in JavaScript and Python while spreading from local files to Kubernetes application programming interfaces and bundled software development kits.

GitHub tokens can then be used to create repositories, upload encrypted data, modify workflows, poison source repositories, or prepare additional propagation paths. GitHub repository activity from services-admin-pearhealthlabs shows hundreds of public repositories with randomized names...

A public run in immobiliare/backstage-plugin-gitlab shows a workflow named Dependabot Updates, triggered via deployment on June 26, 2026... The workflow view shows release.yml configured with on: deployment.

includes Sigstore Fulcio/Rekor logic, enabling forged downstream npm provenance.

short-lived OIDC tokens were extracted from the memory of the Runner.Worker process... This attack shares the same TTPs as the 5/19 @antv wave: kitty-monitor, firedalazer, and extraction of Actions secrets from Runner /proc/*/mem .

If a simonecorsi-controlled workflow executed the compromised action with npm publishing credentials, GitHub tokens, or deployment permissions available to the runner, the attacker could have gained the access needed to publish malicious @immobiliarelabs package versions or trigger follow-on GitHub Actions activity.

The threat group has consistently evolved its tactics, developing payloads in JavaScript and Python while spreading from local files to Kubernetes application programming interfaces and bundled software development kits.

A public run in immobiliare/backstage-plugin-gitlab shows a workflow named Dependabot Updates, triggered via deployment on June 26, 2026... The workflow view shows release.yml configured with on: deployment.

Root index.js is a single-line Caesar-shift loader followed by AES-128-GCM decryption and multi-stage payload delivery.

short-lived OIDC tokens were extracted from the memory of the Runner.Worker process... This attack shares the same TTPs as the 5/19 @antv wave: kitty-monitor, firedalazer, and extraction of Actions secrets from Runner /proc/*/mem .

If a simonecorsi-controlled workflow executed the compromised action with npm publishing credentials, GitHub tokens, or deployment permissions available to the runner, the attacker could have gained the access needed to publish malicious @immobiliarelabs package versions or trigger follow-on GitHub Actions activity.

The threat group has consistently evolved its tactics, developing payloads in JavaScript and Python while spreading from local files to Kubernetes application programming interfaces and bundled software development kits.

A malicious cache of approximately 1.1GB was written into the same pnpm store cache key used by release.yml (the cache scope was shared between pull_request_target and main branch pushes; permissions: contents: read could not prevent cache post-job writes).

includes Sigstore Fulcio/Rekor logic, enabling forged downstream npm provenance.

StepSecurity also reported that the payload targeted GitHub OIDC tokens, GitHub personal access tokens, and CI/CD secrets... Exfiltrates stolen secrets via the GitHub API to attacker-controlled repositories.

An Nx developer was compromised through the TanStack-related supply chain attack, resulting in the leakage of GitHub CLI (gh) credentials; ... harvesting GitHub / npm / AWS / Vault / K8s / 1Password / Claude Code configurations, etc.

Payload steals developer and CI/CD secrets: .env files, npm/PyPI/GitHub/Slack/Twilio/AWS/Azure/GCP/Vault tokens, SSH keys, Docker credentials, Kubernetes configs.

includes Sigstore Fulcio/Rekor logic, enabling forged downstream npm provenance.

The end goal of the campaign, as before, is to harvest developer or maintainer credentials and weaponize the stolen data to spread across package registries, repositories, and trusted developer workflows.

The Register has been covering the story of the Shai-Hulud JavaScript worm for months. We introduced this self-propagating worm in September.

The malware ... drops a workflow named "Run Copilot" to capture CI/CD environment secrets from the runner memory.

Third-stage payload runs under Bun v1.3.13, downloads if absent, and executes the final malware.

Exfiltration: HTTPS + GitHub API + DNS

Exfiltrates stolen secrets via the GitHub API to attacker-controlled repositories.