Miasma: @redhat-cloud-services Mini Shai-Hulud worm compromises 32 npm packages in 72 seconds
On 2026-06-01 an attacker published malicious versions of 32 @redhat-cloud-services/* npm packages in a 72-second window. The "Miasma" payload — a reskinned Mini Shai-Hulud worm — drops a preinstall script that runs a Bun-loaded credential stealer, harvests AWS/GCP/Azure/Kubernetes/Vault/GitHub/npm tokens, and exfiltrates to attacker-controlled GitHub repos tagged Miasma: The Spreading Blight.
- Threat actor
- TeamPCP
- Detected by
- Wiz · ReversingLabs · JFrog · StepSecurity · Snyk · Mend · Aikido · SafeDep
- Also known as
- Miasma · Miasma: The Spreading Blight · Mini Shai-Hulud
- Ecosystems
- npm
- Packages tracked
- 32
What happened
On 2026-06-01, Wiz Research observed a single attacker publish 32 malicious versions across 32 @redhat-cloud-services/* npm packages inside a 72-second window. ReversingLabs and JFrog independently confirmed the burst. Each malicious version is sandwiched between two clean releases — e.g. @redhat-cloud-services/frontend-components-utilities has compromised 7.4.1, 7.4.2, 7.4.4 published alongside benign versions, making "pin to latest" a brittle remediation. In total 96 versions across 32 packages were poisoned, with the affected set cumulatively pulling ~117k downloads/week and ~9.8M downloads lifetime.
The attack vector was a compromised Red Hat employee GitHub account, used to push orphan commits directly to two RedHatInsights repositories and to trigger GitHub Actions OIDC publish to npm — bypassing code review entirely. The Red Hat npm scope token itself was not stolen; this was a CI/CD-trust compromise, the same class of bug as the 2026-05-11 TanStack burst but executed against a different organisation.
Payload — "Miasma: The Spreading Blight"
Each malicious tarball ships a preinstall hook that runs immediately on npm install. The hook decrypts and writes two artefacts: _b (a ~898-byte Bun-runtime bootstrapper) and _p (a ~620 KB credential stealer). The payload is a lightly-reskinned descendant of the Mini Shai-Hulud worm that TeamPCP open-sourced in late April 2026 — same Bun-runtime architecture and same stealer modules used in the SAP @cap-js (April), TanStack (2026-05-11), @antv (2026-05-19) and durabletask (2026-05-19) compromises, plus new GCP/Azure identity collectors that enumerate every cloud identity the infected host can assume.
The stealer encrypts each exfil envelope with a per-session AES-256-GCM key, RSA-OAEP-wraps the key with the attacker public key, and POSTs to https://api.anthropic.com:443/v1/api (a decoy hostname encoded in the payload) as its primary channel. The GitHub-API fallback channel commits the same envelope as a file to attacker-owned public repos and labels each victim repo with the description Miasma: The Spreading Blight — IOC table samples include the AES-128-GCM keys fe0d71d57ecf4fa0a433185bf59a03f5 and f5e5dca9b725ec18514c4b322ed35d2b. One commit message variant taunts the victim: IfYouInvalidateThisTokenItWillNukeTheComputerOfTheOwner:<token>.
Worm behaviour
After exfiltration the stealer enumerates the npm scopes the stolen publish tokens can write to, re-uses the same preinstall structure to publish further malicious versions, and registers a new attacker GitHub repo for each victim — the worm therefore self-spreads via the same trust path that TeamPCP used in the TanStack burst. StepSecurity, Snyk, Mend, ReversingLabs and JFrog all flagged the campaign within hours; npm pulled most malicious versions the same day, but cached copies in CI images, Artifactory mirrors and lockfiles remain in scope for audit.
Affected packages (32)
- npm
@redhat-cloud-services/chrome2.3.12.3.22.3.4 - npm
@redhat-cloud-services/compliance-client4.0.34.0.44.0.6 - npm
@redhat-cloud-services/config-manager-client5.0.45.0.55.0.7 - npm
@redhat-cloud-services/entitlements-client4.0.114.0.124.0.14 - npm
@redhat-cloud-services/eslint-config-redhat-cloud-services3.2.13.2.23.2.4 - npm
@redhat-cloud-services/frontend-components7.7.27.7.37.7.5 - npm
@redhat-cloud-services/frontend-components-advisor-components3.8.23.8.43.8.6 - npm
@redhat-cloud-services/frontend-components-config6.11.36.11.46.11.6 - npm
@redhat-cloud-services/frontend-components-config-utilities4.11.24.11.34.11.5 - npm
@redhat-cloud-services/frontend-components-notifications6.9.26.9.36.9.5 - npm
@redhat-cloud-services/frontend-components-remediations4.9.24.9.34.9.5 - npm
@redhat-cloud-services/frontend-components-testing1.2.11.2.21.2.4 - npm
@redhat-cloud-services/frontend-components-translations4.4.14.4.24.4.4 - npm
@redhat-cloud-services/frontend-components-utilities7.4.17.4.27.4.4 - npm
@redhat-cloud-services/hcc-feo-mcp0.3.10.3.20.3.4 - npm
@redhat-cloud-services/hcc-kessel-mcp0.3.10.3.20.3.4 - npm
@redhat-cloud-services/hcc-pf-mcp0.6.10.6.20.6.4 - npm
@redhat-cloud-services/host-inventory-client5.0.35.0.45.0.6 - npm
@redhat-cloud-services/insights-client4.0.44.0.54.0.7 - npm
@redhat-cloud-services/integrations-client6.0.46.0.56.0.7 - npm
@redhat-cloud-services/javascript-clients-shared2.0.82.0.92.0.11 - npm
@redhat-cloud-services/notifications-client6.1.46.1.56.1.7 - npm
@redhat-cloud-services/patch-client4.0.44.0.54.0.7 - npm
@redhat-cloud-services/quickstarts-client4.0.114.0.124.0.14 - npm
@redhat-cloud-services/rbac-client9.0.39.0.49.0.6 - npm
@redhat-cloud-services/remediations-client4.0.44.0.54.0.7 - npm
@redhat-cloud-services/rule-components4.7.24.7.34.7.5 - npm
@redhat-cloud-services/sources-client3.0.103.0.113.0.13 - npm
@redhat-cloud-services/topological-inventory-client3.0.103.0.113.0.13 - npm
@redhat-cloud-services/tsc-transform-imports1.2.21.2.41.2.6 - npm
@redhat-cloud-services/types3.6.13.6.23.6.4 - npm
@redhat-cloud-services/vulnerabilities-client2.1.92.1.11
Impact
- Preinstall lifecycle hook runs a 4.2 MB obfuscated payload before any application code on every
npm installof an affected version - Cloud credential theft: AWS (IMDS/ECS task role/Secrets Manager), Azure managed identity, GCP metadata service, Kubernetes service-account tokens
- CI/CD secret theft: GitHub Actions OIDC token,
GITHUB_TOKEN, npm publish tokens, CircleCI tokens, HashiCorp Vault tokens - Worm propagation: stolen npm tokens are used to publish further compromised versions to other scopes the victim can write to
- Persistence: malware creates a public GitHub repo on each victim describing itself as "Miasma: The Spreading Blight" — used both as a beacon and as a fallback exfiltration channel
- Anti-EDR: payload probes for CrowdStrike, SentinelOne, Carbon Black, and StepSecurity Harden-Runner before activating, and is per-package AES-128-GCM encrypted to defeat hash-based IOC matching
- @redhat-cloud-services frontend-components & API clients ship in the Red Hat Hybrid Cloud Console UI — any internal Red Hat tooling or customer portal that rebuilt on 2026-06-01 pulled a malicious version
What to do
- 1Audit every
package.json/ lockfile / CI image cache for any@redhat-cloud-services/*version listed in the packages map below — the malicious versions were sandwiched between two clean releases per package, so simply "upgrading to latest" is sufficient only if you skip the 3 affected versions - 2Run
npm ci --ignore-scripts(or pnpm/yarn equivalents) for any CI build that does not need lifecycle scripts, and review any new preinstall hook in PRs - 3Rotate every secret reachable from any host or runner that installed an affected version on or after 2026-06-01: AWS keys + ECS task role + Secrets Manager entries, GCP service-account keys, Azure managed-identity tokens, Kubernetes service-account tokens, HashiCorp Vault tokens, GitHub PATs + Actions OIDC trust, npm publish tokens
- 4Hunt outbound HTTPS POST to
api.anthropic.com/v1/api(decoy domain encoded into the payload) and GitHub API writes from build hosts to repos with descriptionMiasma: The Spreading Blight - 5Search GitHub Audit Log for new public repos created from compromised PATs with that description
- 6Search npm token usage history for unexpected publishes between 2026-06-01 and the date the relevant token was rotated
- 7Block the malicious version ranges in your private mirror / Artifactory / Nexus so cached copies cannot be served
References
- WizMiasma: Supply Chain Attack Targeting RedHat npm Packageswiz.io
- RedHatInsights[SECURITY] Malicious npm releases detected across @redhat-cloud-services scopegithub.com
- Red Hat Product SecurityRHSB-2026-006 Supply chain compromise of @redhat-cloud-services npm packagesaccess.redhat.com
- ReversingLabs32 Red Hat npm packages backdoored in 72 secondsreversinglabs.com
- JFrogShai-Hulud — Miasma: The Spreading Blight hits Red Hat npm packagesresearch.jfrog.com
- StepSecurityMultiple redhat-cloud-services npm packages compromisedstepsecurity.io
- SnykMiasma attack hits Red Hat npm packagessnyk.io
- The Hacker NewsMiasma supply chain attack compromises Red Hat npm packages with credential-stealing wormthehackernews.com
- BleepingComputerRed Hat npm packages compromised to steal developer credentialsbleepingcomputer.com