ON June 24, 2026, a coordinated attack released malicious versions of 20 npm packages within the Leo Platform ecosystem, all equipped with a CI/CD attack toolkit that targets GitHub Actions runners, steals credentials, and exfiltrates them through the user's GitHub token. These packages are collectively downloaded around 13,600 times weekly. The attack shares similarities with the previous Miasma campaign, including identical payload structures and obfuscation techniques. Specific malicious packages and potential remediation steps for affected users are detailed.
Malicious npm Packages Steal GitHub Tokens from Leo Platform
CyberSIXT Evidence Panel
Source marked as original reporting
Article by CyberSIXT