The Miasma / Mini Shai-Hulud worm that trojanized npm packages on June 24 spent today proving it isn't finished: Socket confirmed it reached @immobiliarelabs' Backstage GitLab and LDAP auth plugins — packages that sit directly in a CI and SSO trust path — while The Hacker News tied the same worm to GitHub Actions abuse and propagation into Go modules. A credential-stealer that lands in the very packages whose job is to broker credentials is the worst place for it to land.
Underneath the worm, the day's disclosures rhymed on a single flaw: authorization derived from attacker-controlled input. Nezha shipped a pre-auth-to-RCE chain — leak jwt_secret_key through a /dashboard prefix match, forge an admin token, then hijack any tenant's terminal over an unchecked stream UUID; pnpm's coordinated 15-advisory batch turned poisoned lockfiles and PR-supplied .patch files into code execution and arbitrary file write on install; ex_aws_sns fetched its signature trust anchor from an attacker-named URL; and Hackney and Microsoft's kiota both walked Authorization headers off to foreign hosts on cross-origin redirects. Polymarket is the proof this isn't theoretical — a breached third-party vendor injected a frontend skimmer and drained roughly $3M from customers' browsers.
→ Operational priority for the night if you run Backstage with @immobiliarelabs plugins, pin to a clean pre-June-24 build and rotate every GitLab and LDAP secret those plugins could read; if you run a reachable Nezha dashboard, upgrade and rotate jwt_secret_key now, since the leak is pre-auth and trivially scriptable.