Leo Platform npm Miasma / Phantom Gyp Compromise
ConfirmedDiscovered Jun 25, 2026
StepSecurity disclosed a June 24, 2026 Leo Platform npm supply-chain compromise affecting 20 packages published in a three-second burst. Socket and Sonatype then tied three more malicious npm packages to the same Miasma / Mini Shai-Hulud Phantom Gyp tradecraft, extending the incident into a 23-package campaign update.
10
Affected Packages
18
Observables
6
Sources
Timeline
| Date | Event | Description | Source |
|---|---|---|---|
| Jun 25, 2026 | Fresh source review | Reviewed direct and primary sources for the last-two-weeks supply-chain refresh; this preview intentionally excludes older Halting Problems article data. | Direct source |
Affected Software
| Package | Ecosystem | Version Range | Status | Confidence | Source |
|---|---|---|---|---|---|
| leo-logger | npm | 1.0.8 | Malicious | 90% | StepSecurity |
| leo-sdk | npm | 6.0.19 | Malicious | 90% | StepSecurity |
| leo-aws | npm | 2.0.4 | Malicious | 90% | StepSecurity |
| leo-config | npm | 1.1.1 | Malicious | 90% | StepSecurity |
| leo-streams | npm | 2.0.1 | Malicious | 90% | StepSecurity |
| serverless-leo | npm | 3.0.14 | Malicious | 90% | StepSecurity |
| leo-connector-mongo | npm | 3.0.8 | Malicious | 90% | StepSecurity |
| serverless-convention | npm | 2.0.4 | Malicious | 90% | StepSecurity |
| rstreams-metrics | npm | 2.0.2 | Malicious | 90% | StepSecurity |
| leo-connector-elasticsearch | npm | 2.0.6 | Malicious | 90% | StepSecurity |
IOC Clipboard
18 IOCsdomain
api.github.comdomain
github.comurl
https://api.github.com/graphqlurl
https://github.com/oven-sh/bun/releases/download/bun-v1.3.13/hash
d45ad3cffbcc7c4b354ebe9d71d002fa585379echash
1dcc0a39e1cd7293a9058cfc41e1afe8b397c943hash
ef8bf6dd92cbc29ef8d23f3f0fa786ed20a856b1hash
9be49287057cd6a54ef4a70a8d541a7259efbd2dhash
c05068f18e7f94304b92a307a030e0038ab61004hash
cb78d0dca573f99a22b41ca01e99853a6162d5d5file_path
binding.gypfile_path
index.jsfile_path
stub.ccommand
Runner.Workercommand
/proc/{pid}/memcommand
bypass_2facommand
ALL=(ALL) NOPASSWD:ALLcommand
/tmp/pProvenance & Sources
| Source | Type | Reliability | Claims | Evidence |
|---|---|---|---|---|
| Direct source | direct | 95% | 1 | https://registry.npmjs.org/leo-logger |
| Direct source | direct | 95% | 1 | https://registry.npmjs.org/leo-sdk |
| Direct source | direct | 95% | 1 | https://registry.npmjs.org/solo-nav |
| Direct source | direct | 95% | 1 | https://registry.npmjs.org/hexo-deployer-wrangler |
| StepSecurity | Primary Research | 95% | 1 | https://www.stepsecurity.io/blog/mass-npm-supply-chain-attack-20-leo-platform-packages-compromised |
| Primary research | primary research | 95% | 1 | https://www.stepsecurity.io/blog/multiple-redhat-cloud-services-npm-packages-compromised |