“Alright Lets See If This Works”: Shai-Hulud / Miasma / Hades Variant Spreads on npm

Compromised developer account “czirker” was hacked to deliver a new Shai-Hulud / Miasma / Hades variant, affecting total of 52,640 monthly downloads

Breaking News: New Shai-Hulud / Miasma / Hades variant spreads on npm, containing a multi-stage dropper with an infostealer logic

Overview

An infostealer malware dubbed Miasma, which OX Security already covered numerous times – including Miasma Supply Chain Attack Is Back on npm, and New Shai-Hulud hits npm: @redhat-cloud-services Compromised and in Six Stages Deep and an Endless Loop: Shai-Hulud Is Getting Sophisticated, with the same new technique of a preconfigured binding.gyp file, which executes directly when the new package is installed.

The malware as we’ve already discussed steals GitHub tokens, npm tokens, AWS, GCP & Azure cloud credentials, and local environment information.

We assume that the affected npm developer account – czirker, was compromised, highly likely by leaked credentials or leaked npm token from an infostealer. Where around 4 horse ago all of his packages in npm were updated to include the new Miasma malware variant.

While the developer account compromise happened 4 hours ago, around 10 hours ago this variant’s string already appeared in GitHub, first committed on Wed, 24 Jun 2026 09:33:24 -0700. 

By the time of writing this article, 338 repositories with stolen credentials were found in GitHub with the string “Alright Lets See If This Works”

Big thanks to Kirk from derp.ca for his help on this report.

Impact

• Total affected packages – 23
• Total accumulated monthly downloads – 52,640
• Currently 338 repositories in GitHub with stolen credentials.

Recommended Actions

1. Rotate your keys and add 2FA to your accounts
2. Downgrade the affected packages to a safe version

Infection Analysis

We found 338 infected repositories in GitHub containing stolen credentials, you can follow the infection as it spread in this link.

When searching for infected repositories in GitHub, we can see that the first commit containing the “Alright Lets See If This Works” string appeared on Wed, 24 Jun 2026 09:33:24 -0700.

Malware Differences Analysis

Since this is another variant of a widely known and researched malware, we decided to focus the technical analysis on everything that’s new, instead of repeating the same “this steals AWS, GitHub & npm tokens” which we already covered multiple times.

First, the malware uploads the stolen credentials and API keys to GitHub using the string “Alright Lets See If This Works”, which differentiates from the usual “name: description” we had in the past.

Another big difference is the use of new public encryption keys. This means in high probability that this malware comes from a new actor, and not the same ones we’ve seen from TeamPCP or the Miasma variants.

The malware also reuses the spreading technique via searching the commit “firedalazer” on GitHub, which is still live, and was committed 2 weeks ago.

This attack combines two compromised GItHub accounts, miaxxxxxx containing the firedalazer commit, and l3v1cs – which contains the payload that the firedalazer decoded URL points to.

The decoded firedalazer URL:

https://raw[.]githubusercontent[.]com/l3v1cs/Html-Bootstrap-TinDog/e027c6ea4c8042c4778dc4f392bf5f94a3c6310d/setup.py

Later pointing to “index.js” inside the same repository

https://raw[.]githubusercontent[.]com/l3v1cs/Html-Bootstrap-TinDog/cb6699faacade9775d3d83059d6ba6a756755193/index.js

After further decoding of the dropped malware, we see that it points back to another variant – “Hades * The End for the Damned”.

This variant has 173 infected repositories on GitHub, and was found around 15-16 days ago

The Hades dropped malware variant, also has different public keys embedded inside, which take us back to the same ones we’ve seen in this Miasma variant – 

Affected Packages

Package name	Affected versions
leo-sdk	6.0.19
leo-cli	3.0.3
leo-auth	4.0.6
leo-connector-common	4.0.11-rc
leo-connector-mysql	3.0.3
leo-connector-postgres	4.0.19-beta
leo-connector-elasticsearch	2.0.6
leo-connector-mongo	3.0.8
leo-aws	2.0.4
leo-config	1.1.1
leo-connector-entity-table	3.0.22-rc
leo-logger	1.0.8
leo-streams	2.0.1
leo-cache	1.0.2
leo-connector-oracle	2.0.1
leo-connector-redshift	3.0.6
serverless-leo	3.0.14
leo-cron	2.0.2
serverless-convention	2.0.4
solo-nav	1.0.1
rstreams-metrics	2.0.2
leo-cdk-lib	0.0.2
rstreams-shard-util	1.0.1

Conclusions

While we’re still waiting on npm to add malicious code detection, and 

IOCs

Public encryption keys

• MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAut0YWEh9/gZIsSoF6feF
• MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAwtmpAkLxoe3q3BxHOLPE

Hades variant public encryption keys

• MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAifY0q2qOZke8FTr7c23d
• MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAy/uXzJGGCEF39GtSJk9H

Relevant strings

• Alright Lets See If This Works

• TheBeautifulSandsOfTime
• thebeautifulmarchoftime
• RevokeAndItGoesKaboom

Infected accounts

• https://www.npmjs.com/~czirker
• https://github.com/miaxxxxxx 
• https://github.com/l3v1cs 

URLs

• https://raw[.]githubusercontent[.]com/l3v1cs/Html-Bootstrap-TinDog/e027c6ea4c8042c4778dc4f392bf5f94a3c6310d/setup.py
• https://raw[.]githubusercontent[.]com/l3v1cs/Html-Bootstrap-TinDog/cb6699faacade9775d3d83059d6ba6a756755193/index.js