Miasma Supply Chain Attack Compromises Red Hat npm Packages With Confirmation Stealing Worm

New Mini Shai-Hulud attack campaign, codenamed Miasmacompromised @redhat-cloud-services packages to steal information and secrets from developer machines and deliver a self-propagating worm.

“This is effectively a Mini Shai-Hulud campaign: it uses the same basic tactics of using install time, data harvesting, CI/CD targeting, encrypted releases, and potential downstream distribution,” Socket said.

It is not known who actually carried out this attack but TeamPCP, a notorious cyber crime group, has open sourced attack tools linked to the Shai-Hulud worm, opening the door for other threat actors to carry out similar attacks and making exact identification difficult.

Names of other affected packages are listed below –

• @redhat-cloud-services/vulnerabilities-client
• @redhat-cloud-services/tsc-transform-imports
• @redhat-cloud-services/topological-inventory-client
• @redhat-cloud-services/sources-client
• @redhat-cloud-services/rule-components
• @redhat-cloud-services/remediations-client
• @redhat-cloud-services/rbac-client

According to analysis from Aikido Security, JFrog, Microsoft, OX Security, SafeDep, StepSecurity, and Wiz, the npm packages contain an obfuscated installation hook designed to collect GitHub Actions secrets, npm tokens, cloud credentials, Kubernetes and Vault objects, SSH keys, sensitive authentication files, and other authentication files.

As noted in previous Mini Shai-Hulud waves, the malware also contains filtering coding that forwards data to “api.anthropic[.]com:443/v1/api” and uses GitHub as a fallback. This shows the attacker’s attempts to both steal information and weaponize further poisoning of the software supply chain.

“It encapsulates encrypted results via the GitHub API,” Socket said. “A commit message can include: IfYouInvalidateThisTokenItWillNukeTheComputerOfTheOwner:.”

Another notable step taken by the malware is to avoid being used in Russian-language programs, a pattern also seen in the GlassWorm supply chain campaigns.

“On npm, the payload calls the exchange of OIDC tokens and whoami endpoints, repackages the tarball (updateTarball, package-updated.tgz), and signs the artifact with Sigstore,” SafeDep said. “The stolen data results in public GitHub repositories created by the attacker, each with the description Miasma: The Spreading Blight.”

The first link containing the string “Miasma: The Spreading Blight” appeared on May 29, 2026, OX Security noted, indicating that this variant was still active since then, even if the threat actor started testing at that time.

As for GitHub, the malware enumerates the repositories the token can write to, reads action.yml/action.yaml via GraphQL, and executes a workflow with the createCommitOnBranch transformation so that the commit appears as a confirmed, signed change. Some actions performed by malware are listed below –

• Elevation attempt by launching a container that binds to the host /etc/sudoers.d and gives the CI runner passwordless sudo
• Check endpoint protection in CrowdStrike, SentinelOne, Carbon Black, and StepSecurity Harden-Runner before starting malicious activities.
• Stop persistence by injecting a SessionStart hook in Anthropic Claude Code and tasks.json with “runOn”: “Open folder” of Microsoft Visual Studio Code projects so that the malware is automatically started during each session.

“One of the key changes in this new variant is the addition of new cloud-based data collectors,” Wiz researchers said. “Specifically, GCP and Azure identity collectors have been added that collect all identities the infected machine has access to. While previous versions of the malware focused primarily on extracting secrets from these environments, this variant suggests an attacker’s increased focus on gaining and exploiting access to the cloud itself.

Unlike previous versions, the malware was also found to generate a different encrypted payload for each infection, making detection and version tracking more challenging.

Evidence suggests that a compromise of a Red Hat employee’s GitHub account was the patient zero used to inject the payload into these packages. The compromised account is said to have pushed a malicious orphan to commit to two RedHatInsights repositories, bypassing code reviews.

It is recommended that you isolate hosts that have installed the affected versions, remove malicious versions, exchange exposed information, review any signs of suspicious GitHub or npm activity, scan the environment for persistent artifacts involving changes to configuration files (~/.claude/settings.json, .vscode/tasksgib. .github/setup.js), and implement strong access controls.

“Because the malware includes background exploits and possible developer tools persistence methods, removing the npm package or removing node_modules should not be considered a sufficient cleanup,” explained Socket.

“For CI/CD systems, stop running the affected workflow, do not create build artifacts generated during exposure, and review whether any release, container image, npm package, or deployment artifact was created after the malicious package was installed.”