Over 30 Red Hat Cloud Services npm Packages Compromised in 'Miasma' Supply Chain Attack
Attackers hijacked GitHub Actions OIDC tokens to backdoor over 30 official @redhat-cloud-services npm packages, deploying a credential-stealing worm variant of the Mini Shai-Hulud malware family.
On June 1, 2026, a sophisticated supply chain attack compromised over 30 official npm packages under the @redhat-cloud-services scope. The campaign, dubbed "Miasma: The Spreading Blight," is a new variant of the Mini Shai-Hulud malware family, a credential-stealing worm previously linked to the threat actor group TeamPCP. Unlike typosquatting attacks, the attackers hijacked a legitimate, trusted npm namespace and published backdoored versions of widely-used frontend components, API clients, and developer tooling.
According to researchers at Aikido and JFrog, the malicious packages were published using compromised GitHub Actions OIDC tokens, indicating that the CI/CD pipeline itself was breached rather than individual developer accounts. Each poisoned package embeds a preinstall lifecycle hook in its package.json that executes a 4.2 MB obfuscated payload automatically during every npm install, before any application code runs. The loader uses a multi-stage decryption chain — numeric character arrays, a ROT-style transform, and AES-128-GCM blobs — to evade static detection, before dropping a transient Bun-based payload for execution.
Once active, the malware performs a sweeping credential collection targeting GitHub tokens (classic, fine-grained, and OIDC tokens), cloud credentials (AWS access keys, GCP service account files, Azure service principal and managed identity tokens), infrastructure secrets (Kubernetes service account tokens, kubeconfig files, HashiCorp Vault tokens), and developer tooling (npm and PyPI publish tokens, SSH private keys, Docker registry credentials, GPG keys, .env files). In cloud environments, the malware goes beyond static files by actively querying AWS Secrets Manager, SSM Parameter Store, Azure Key Vault, and GCP Secret Manager when permissions allow. GitHub Actions runners are a prime target: the payload reads secrets directly from runtime process memory, bypassing workflow log masking entirely.
A notable evasion technique involves disguising exfiltration traffic to api.anthropic.com/v1/api — a legitimate-looking domain that blends into network logs at organizations using Anthropic services. The /v1/api path is not a valid Anthropic route, suggesting attackers chose it purely for camouflage. The malware also uses a GitHub dead-drop model, creating public repositories under victim accounts with the description "Miasma: The Spreading Blight" and committing stolen credentials as JSON result files. It installs persistent monitoring services — kitty-monitor.service on Linux and com.user.kitty-monitor.plist on macOS — that poll for remote instructions, and injects hooks into AI developer tools including Claude, Codex, Gemini, Copilot, Kiro, and opencode.
Most critically, a destructive token monitor (gh-token-monitor) watches stolen GitHub tokens. If a token is revoked before persistence is removed, it can execute destructive commands such as wiping the user's home directory. Incident responders must isolate machines and remove persistence before revoking any tokens. The full list of 31 compromised packages includes @redhat-cloud-services/chrome 2.3.1, @redhat-cloud-services/frontend-components 7.7.2, and @redhat-cloud-services/vulnerabilities-client 2.1.8, among others. Any project that installed these package versions on or after June 1, 2026 should be treated as compromised.
Defenders should hunt for node or Bun processes contacting api.anthropic.com from CI runners or developer machines, and inspect .claude/settings.json, .vscode/tasks.json, and ~/.config/index.js for injected hooks. Mitigation steps include running npm uninstall on all affected packages, regenerating lockfiles from trusted metadata, using npm ci --ignore-scripts in CI pipelines as a temporary safeguard, and removing kitty-monitor and gh-token-monitor persistence files before revoking any tokens. This attack underscores the growing threat of supply chain compromises targeting developer ecosystems, where trusted namespaces and CI/CD pipelines are increasingly exploited to distribute credential-stealing malware at scale.
This new report details that the Miasma campaign, a variant of the Mini Shai-Hulud attack, specifically targets Red Hat npm packages, including several within the @redhat-cloud-services scope. The malware employs obfuscated preinstall hooks to harvest a wide array of secrets such as GitHub Actions secrets, cloud credentials, and SSH keys, and exfiltrates them to attacker-controlled GitHub repositories. Notably, it also includes mechanisms to avoid execution on Russian-language systems and attempts persistence by injecting hooks into developer tools like VS Code and Claude Code.
The new article details how attackers compromised a Red Hat employee's GitHub account to push malicious commits. These commits introduced a GitHub Actions workflow and a script that leveraged npm's trusted publishing endpoint via OIDC tokens to release backdoored packages, specifically targeting the '@redhat-cloud-services' namespace.
This new report details that the malware variant, now dubbed 'Miasma' by researchers, incorporates data collectors for Google Cloud Platform and Microsoft Azure identities, expanding its scope beyond just stealing secrets to actively mapping cloud access. Furthermore, the malware's payload generation has evolved; instead of copying itself, it now creates uniquely encrypted payloads for each infection, making hash-based detection less effective against specific package versions.