VYPR
breachPublished Jun 1, 2026· Updated Jun 9, 2026· 15 sources

Over 30 Red Hat Cloud Services npm Packages Compromised in 'Miasma' Supply Chain Attack

Attackers hijacked GitHub Actions OIDC tokens to backdoor over 30 official @redhat-cloud-services npm packages, deploying a credential-stealing worm variant of the Mini Shai-Hulud malware family.

On June 1, 2026, a sophisticated supply chain attack compromised over 30 official npm packages under the @redhat-cloud-services scope. The campaign, dubbed "Miasma: The Spreading Blight," is a new variant of the Mini Shai-Hulud malware family, a credential-stealing worm previously linked to the threat actor group TeamPCP. Unlike typosquatting attacks, the attackers hijacked a legitimate, trusted npm namespace and published backdoored versions of widely-used frontend components, API clients, and developer tooling.

According to researchers at Aikido and JFrog, the malicious packages were published using compromised GitHub Actions OIDC tokens, indicating that the CI/CD pipeline itself was breached rather than individual developer accounts. Each poisoned package embeds a preinstall lifecycle hook in its package.json that executes a 4.2 MB obfuscated payload automatically during every npm install, before any application code runs. The loader uses a multi-stage decryption chain — numeric character arrays, a ROT-style transform, and AES-128-GCM blobs — to evade static detection, before dropping a transient Bun-based payload for execution.

Once active, the malware performs a sweeping credential collection targeting GitHub tokens (classic, fine-grained, and OIDC tokens), cloud credentials (AWS access keys, GCP service account files, Azure service principal and managed identity tokens), infrastructure secrets (Kubernetes service account tokens, kubeconfig files, HashiCorp Vault tokens), and developer tooling (npm and PyPI publish tokens, SSH private keys, Docker registry credentials, GPG keys, .env files). In cloud environments, the malware goes beyond static files by actively querying AWS Secrets Manager, SSM Parameter Store, Azure Key Vault, and GCP Secret Manager when permissions allow. GitHub Actions runners are a prime target: the payload reads secrets directly from runtime process memory, bypassing workflow log masking entirely.

A notable evasion technique involves disguising exfiltration traffic to api.anthropic.com/v1/api — a legitimate-looking domain that blends into network logs at organizations using Anthropic services. The /v1/api path is not a valid Anthropic route, suggesting attackers chose it purely for camouflage. The malware also uses a GitHub dead-drop model, creating public repositories under victim accounts with the description "Miasma: The Spreading Blight" and committing stolen credentials as JSON result files. It installs persistent monitoring services — kitty-monitor.service on Linux and com.user.kitty-monitor.plist on macOS — that poll for remote instructions, and injects hooks into AI developer tools including Claude, Codex, Gemini, Copilot, Kiro, and opencode.

Most critically, a destructive token monitor (gh-token-monitor) watches stolen GitHub tokens. If a token is revoked before persistence is removed, it can execute destructive commands such as wiping the user's home directory. Incident responders must isolate machines and remove persistence before revoking any tokens. The full list of 31 compromised packages includes @redhat-cloud-services/chrome 2.3.1, @redhat-cloud-services/frontend-components 7.7.2, and @redhat-cloud-services/vulnerabilities-client 2.1.8, among others. Any project that installed these package versions on or after June 1, 2026 should be treated as compromised.

Defenders should hunt for node or Bun processes contacting api.anthropic.com from CI runners or developer machines, and inspect .claude/settings.json, .vscode/tasks.json, and ~/.config/index.js for injected hooks. Mitigation steps include running npm uninstall on all affected packages, regenerating lockfiles from trusted metadata, using npm ci --ignore-scripts in CI pipelines as a temporary safeguard, and removing kitty-monitor and gh-token-monitor persistence files before revoking any tokens. This attack underscores the growing threat of supply chain compromises targeting developer ecosystems, where trusted namespaces and CI/CD pipelines are increasingly exploited to distribute credential-stealing malware at scale.

This new report details that the Miasma campaign, a variant of the Mini Shai-Hulud attack, specifically targets Red Hat npm packages, including several within the @redhat-cloud-services scope. The malware employs obfuscated preinstall hooks to harvest a wide array of secrets such as GitHub Actions secrets, cloud credentials, and SSH keys, and exfiltrates them to attacker-controlled GitHub repositories. Notably, it also includes mechanisms to avoid execution on Russian-language systems and attempts persistence by injecting hooks into developer tools like VS Code and Claude Code.

The new article details how attackers compromised a Red Hat employee's GitHub account to push malicious commits. These commits introduced a GitHub Actions workflow and a script that leveraged npm's trusted publishing endpoint via OIDC tokens to release backdoored packages, specifically targeting the '@redhat-cloud-services' namespace.

This new report details that the malware variant, now dubbed 'Miasma' by researchers, incorporates data collectors for Google Cloud Platform and Microsoft Azure identities, expanding its scope beyond just stealing secrets to actively mapping cloud access. Furthermore, the malware's payload generation has evolved; instead of copying itself, it now creates uniquely encrypted payloads for each infection, making hash-based detection less effective against specific package versions.

This new report details how the Mini Shai-Hulud malware variant, specifically equipped with new data collectors for cloud identities, generates a uniquely encrypted payload for each infection and creates repositories with the description 'Miasma: The Spreading Blight'. It also highlights the critical self-propagation capability enabled by the bypass_2FA publish parameter, allowing the malware to spread autonomously even against accounts with two-factor authentication enabled.

This new report from Infosecurity Magazine details how attackers compromised Red Hat's official npm scope, injecting malicious code into 32 packages. The compromised packages were specifically designed to exfiltrate cloud credentials and secrets from CI/CD environments, underscoring the pervasive risks in software supply chains and trusted repositories.

This new report details that attackers published 96 malicious versions of the Red Hat NPM packages, a slight increase from the previously reported number. The injected malware is confirmed to be a credential-stealing worm, exhibiting behaviors similar to the Mini Shai-Hulud malware family.

This new report from The Record provides further details on the Red Hat supply chain compromise, specifically noting that the malware injected into the packages was a variant of the Mini Shai-Hulud worm, which had its source code recently released. The malware, dubbed 'Miasma' by its authors, cosmetically altered references from Dune to Greek mythology while retaining its core credential-stealing functionality. The article also highlights the broader context of ongoing supply chain attacks, referencing incidents involving LiteLLM, axios, and GitHub itself, underscoring the persistent threat to developer tools.

This new report from Cyber Security News confirms Red Hat's official statement regarding the supply chain compromise of its @redhat-cloud-services npm packages. It further details the sophisticated Shai-Hulud infostealer malware, highlighting its six-stage payload chain and its novel use of GitHub commits as adaptive Command and Control (C2) infrastructure. The article also notes a subtle variant in the malware's strings that could evade detection.

This new report from Microsoft Security Intelligence provides a deeper dive into the technical execution of the 'Miasma' campaign, detailing the multi-stage obfuscation techniques used to hide the dropper script and the payload. It highlights the malware's use of the Bun runtime to evade Node.js-focused monitoring and its sophisticated credential harvesting capabilities across various cloud providers and developer systems. Furthermore, the article details the campaign's self-propagation mechanism, including the forging of SLSA provenance metadata to spread like a worm, and a destructive tripwire designed to wipe a victim's home directory if a decoy token is interacted with.

This new article reveals a sophisticated supply chain attack dubbed "Phantom Gyp" that leverages the binding.gyp file, a method not typically monitored by security scanners, to execute malicious code during the npm install process. The attack, which compromised 57 npm packages including the high-profile @vapi-ai/server-sdk, is a variant of the Miasma worm, previously seen targeting Red Hat packages, and notably includes a taunt referencing prior research.

The Miasma worm has now compromised an additional 73 Microsoft GitHub repositories across Azure, Azure-Samples, Microsoft, and MicrosoftDocs organizations, leading GitHub to disable access to these affected repositories. This latest incident marks a significant expansion of the Miasma campaign, which was previously noted for its use of hijacked OIDC tokens to backdoor Red Hat Cloud Services npm packages.

This latest Shai-Hulud campaign has compromised 19 Python packages on the PyPI repository, with hundreds of thousands of downloads, expanding the campaign's reach beyond previous npm-focused attacks. The trojanized packages, including popular bioinformatics tools, deliver malware designed to steal a wide array of developer secrets, such as GitHub tokens, cloud credentials, and SSH keys, representing a significant supply-chain risk.

The Hades campaign represents a new iteration of the Mini Shai-Hulud/Miasma lineage, specifically targeting the Python Package Index (PyPI) with 19 poisoned packages. Unlike previous attacks, Hades utilizes a *-setup.pth file for automatic execution during Python startup and incorporates a novel prompt injection technique to deceive AI security scanners. The campaign also expands its data exfiltration capabilities by including tailored macOS and Windows memory scrapers for GitHub Actions runners.

The Shai-Hulud campaign has expanded significantly, now encompassing over 100 packages across both NPM and PyPI repositories. New variants, identified as Miasma and Hades, have emerged, employing self-propagating techniques to compromise these widely used software components. This escalation poses a substantial risk to downstream users who rely on these vulnerable packages.

Synthesized by Vypr AI