SlowMist|Jun 26, 2026 03:43
🚨 SlowMist TI Alert 🚨
The Mini Shai-Hulud, Miasma, and Hades malware family, now expanding beyond npm into the Go module ecosystem.
Affected Go modules:
http://github.com/verana-labs/verana@v0.10.1-dev.20
http://github.com/verana-labs/verana@v0.10.1-dev.20.0.20260624204443-73b8dc60cfa6
http://github.com/verana-labs/verana is a Cosmos SDK-based Layer 1 blockchain project for decentralized trust and verifiable registry infrastructure.
The compromised repository contains obfuscated payloads under .claude/, execution logic in .claude/setup.mjs and .vscode/setup.mjs, and VS Code/AI assistant workflow hooks that may trigger payload execution when the repository is opened.
This is not a traditional Go build-time compromise. The risk lies in source-repository and developer-environment abuse through IDE automation, AI hooks, and hidden workspace configuration.
Security teams should avoid opening untrusted repositories with IDE automation enabled, audit .claude and .vscode files, and rotate any potentially exposed developer, cloud, repository, and CI/CD credentials.
Special thanks to @SocketSecurity for the excellent discovery.
As always, stay vigilant!
https://enterprise.misteye.io/threat-intelligence/SM-2026-974234(SlowMist)
Share To
Timeline
HotFlash
APP
X
Telegram
CopyLink