Miasma Malware Uses binding.gyp and 'RevokeAndItGoesKaboom' Token to Compromise 22 npm Packages and GitHub Actions

The packages, including [email protected] and [email protected], contain no postinstall hook yet execute arbitrary code through binding.gyp during npm install. The payload checks for Russian locale and EDR presence before dropping a 'Run Copilot' workflow that scrapes runner memory for OIDC and PAT secrets, then uploads AES-encrypted blobs to GitHub repos matching the string 'Alright Lets See If This Works.' Socket telemetry shows 559 such repositories. This matches the same tooling lineage that force-pushed codfish/semantic-release-action on the same day, redirecting tags to a commit harvesting tokens via the marker 'RevokeAndItGoesKaboom.' Procurement records and prior incident reports from StepSecurity and Endor Labs confirm the cluster also polls GitHub hourly for 'firedalazer' commits to fetch the Hades variant. The Verana Blockchain Go module v0.10.1-dev.20 carries identical credential-harvesting logic. No independent technical attribution to a state actor exists; the Russian killswitch is a simple locale check, not nation-state fingerprinting. The campaign continues the documented shift from one-off dependency confusion to automated, high-volume pipeline poisoning that targets CI runners and AI coding assistants. Maintainers with leaked tokens become force multipliers for further registry abuse. Next observable indicator will be new GitHub Actions workflows containing the 'firedalazer' resolver or fresh npm releases using the 'Kaboom' marker within the next 14 days.