TL;DR

On 2026-06-01, Wiz Research and others identified a supply-chain compromise of the @redhat-cloud-services npm scope — Red Hat's official client libraries used by the Hybrid Cloud Console, Insights, and OpenShift frontends. 32 packages / 96 malicious versions were published in a roughly 72-second automated burst (Aikido, Wiz), each carrying a preinstall hook that drops a ~4.2 MB obfuscated payload stealing AWS / GCP / Azure / Kubernetes / HashiCorp Vault / GitHub / npm / CircleCI credentials. Cumulative weekly downloads of the affected scope: ~80,000. The campaign — dubbed "Miasma: The Spreading Blight" — is a lightly reskinned descendant of the (Mini) Shai-Hulud worm that TeamPCP open-sourced on 2026-05-12, with Greek-mythology theming (spartan) replacing Dune references but the same self-propagation core, and new GCP/Azure identity collectors added. Notable IOC: the payload exfiltrates over HTTPS to a camouflage URL https://api.anthropic.com:443/v1/apinot Anthropic infrastructure, but a fake path on a real-vendor host chosen to blend into network logs at organizations using Anthropic. Initial access was a compromised Red Hat employee GitHub account → GitHub Actions OIDC token → npm publish (JFrog, Aikido). Red Hat published RHSB-2026-006; npm has removed the malicious versions.

Update 2026-06-11: On 2026-06-09–10, the Miasma worm source code was briefly open-sourced on GitHub via compromised developer accounts (repositories named "Miasma-Open-Source-Release"), mirroring what TeamPCP did with Mini Shai-Hulud on 2026-05-12. The full attack toolkit — covering npm/PyPI/RubyGems/JFrog/GitHub targeting and AI-tool configuration poisoning — is now public. SafeDep preserved artifacts before GitHub removed the repositories within hours. Mini Shai-Hulud going public spawned five documented copycat waves in 30 days; a sixth wave is expected imminently. Monitor supply-chain feeds closely and treat any unexpected outbound HTTPS to api.anthropic.com, api.openai.com, or other AI-vendor hosts from non-AI workloads as a Miasma-family IOC — the camouflage primitive is now well-known. See the Hades Campaign advisory for the most recent copycat (June 8). Sources: SafeDep, BleepingComputer, The Register.

What happened

On 2026-06-01, Wiz Research detected malicious code in at least 32 package releases published under the @redhat-cloud-services npm scope — Red Hat's official frontend client libraries used by the OpenShift / Hybrid Cloud Console / Insights / Edge dashboards. The malicious releases included @redhat-cloud-services/chrome, @redhat-cloud-services/compliance-client, @redhat-cloud-services/frontend-components, and ~29 sibling client libraries. Across those 32 packages, 96 unique malicious versions were published in a ~72-second window, indicating fully automated publishing — the actor's tooling, not a sleepy human.

Attack flow

  1. Initial access — compromised Red Hat employee GitHub account. JFrog and Aikido converged on the conclusion that an employee's GitHub account was the foothold; the malicious npm publishes ran via the existing GitHub Actions OIDC token that the legitimate release workflow uses to talk to npm. The npm account itself was not separately phished — the source-repo trust boundary failed first. (Same shape as Megalodon's @tiledesk/tiledesk-server arm.)
  2. Mass automated publishing. 96 versions / 32 packages / 72 seconds → strong signal of a scripted republish that walked the org's package list.
  3. Preinstall hook. Each malicious version's package.json adds a preinstall script that runs before dependency resolution completes. Anyone who ran npm install against an unpinned ^x.y.z range or a latest tag on 2026-06-01 executed the payload on their workstation or CI runner.
  4. Stage-2 payload — ~4.2 MB obfuscated JavaScript. Once decoded, the payload is a multi-stage credential harvester. It enumerates AWS / GCP / Azure / Kubernetes / HashiCorp Vault / GitHub / npm / CircleCI credentials reachable from the host, explicitly attempts to bypass StepSecurity Harden-Runner, then exfiltrates harvested data over HTTPS to a camouflage URL https://api.anthropic.com:443/v1/apinot Anthropic infrastructure, but the real host with a non-existent path, chosen because outbound HTTPS to api.anthropic.com is a baseline-normal destination at most organizations that use Anthropic models and will not flag in egress logs (CyberSecurity News, StepSecurity). Because the path is non-existent, every exfil POST returns 4xx — but the request itself carries the exfiltrated payload in body/headers, and many security stacks log only response codes.
  5. Worm component. The payload also attempts to use the stolen npm token to republish trojanized versions of every other package the victim can publish to, the same self-propagation primitive as the original Shai-Hulud, Mini Shai-Hulud, and TrapDoor waves.

What's new vs. plain Mini Shai-Hulud

Miasma is largely the open-sourced Mini Shai-Hulud worm with cosmetic and operational changes (JFrog research, Wiz), but two changes matter:

  • Greek-mythology theming replaces Dune. Internal markers / function names now use spartan/miasma instead of kralizec/phibian/shai-hulud. This breaks blue-team yara rules and SIEM queries that grep for the original Dune string set.
  • New cloud-identity collectors. Where the original Mini Shai-Hulud focused on AWS + GitHub + npm, Miasma added explicit GCP and Azure identity collectors that enumerate every cloud identity the infected machine has access to. This squarely targets cloud-frontend dev environments — which is exactly the audience of @redhat-cloud-services (OpenShift / RHEL / Insights dashboards run with broad multi-cloud IAM grants).
  • api.anthropic.com camouflage exfil. The first observed wave to disguise exfil traffic as AI-vendor API calls rather than the usual GitHub Gist / direct VPS / disposable-tunnel C2. Expect this technique to spread to other waves — api.openai.com, api.anthropic.com, generativelanguage.googleapis.com, bedrock-runtime.us-east-1.amazonaws.com are all "AI-coding-tool baseline-normal" destinations now.

Attribution

This is almost certainly not TeamPCP themselves. TeamPCP open-sourced the Mini Shai-Hulud worm on 2026-05-12 with the message "Shai-Hulud: Open Sourcing The Carnage", and Miasma is what one would expect a competent second actor to ship two weeks later: original payload, new theming, expanded cloud-identity collection, fresh C2 disguise. This is the third worm-source-public copycat wave sweep-tracked so far:

  1. TrapDoor (2026-05-22) — different actor, cross-ecosystem (npm + PyPI + Crates.io), .cursorrules/CLAUDE.md poisoning.
  2. Shai-Hulud copycat wave (2026-05-18)deadcode09284814 typosquats, near-verbatim worm clones with *.lhr.life C2.
  3. Miasma (2026-06-01) — first to land on a major legitimate npm scope at TeamPCP scale rather than typosquats, with cloud-identity expansion and AI-vendor camouflage exfil.

The blast radius is smaller than the TanStack/Mistral wave (~80K weekly downloads vs. 518M+), but the target scope alignment is sharper — every consumer of @redhat-cloud-services is, by definition, a multi-cloud IAM holder.

Am I affected?

Check whether any compromised version reached your lockfile

# Any version of the scope installed in the install window
npm ls --all 2>/dev/null | grep '@redhat-cloud-services/'

# Specific packages confirmed compromised (sample; see Red Hat RHSB-2026-006 for the full list)
for p in chrome compliance-client frontend-components rbac-client host-inventory-client \
         notifications-client patches-client sources-client subscriptions-client \
         types config-utils-frontend frontend-components-config-utilities; do
  npm ls "@redhat-cloud-services/$p" 2>/dev/null
done

# Any install activity on 2026-06-01 (the window of malicious-version availability)
grep '@redhat-cloud-services' ~/.npm/_logs/*.log 2>/dev/null | grep '2026-06-01'

Check your CI / Docker images

# Re-build any image whose lockfile or layer was created on 2026-06-01 against the
# scope's malicious versions. Pull the affected versions out of any registry cache:
docker images --digests | grep -i redhat-cloud-services

Egress check — the camouflage IOC

If you have CI / endpoint egress logs, search for outbound HTTPS to api.anthropic.com from non-AI workloads on or after 2026-06-01, especially with response codes that are not 200 (Anthropic's API does not have a /v1/api path, so every exfil request will be 4xx):

# Pseudo-pattern; adapt to your egress logs (CloudFlare/Cloudflare Logpush/AWS VPC flow logs/etc.)
grep -E 'api\.anthropic\.com[^ ]*/v1/api' /var/log/egress/* 2>/dev/null

Hits from a build/CI runner that doesn't talk to Claude are high-confidence Miasma exfil. Hits from a developer workstation that does normally talk to Claude need to be cross-correlated with the timestamp window.

IOCs

Type Value
Campaign Miasma (Wiz naming; "Miasma: The Spreading Blight")
Malware family (Mini) Shai-Hulud — open-sourced by TeamPCP 2026-05-12; Miasma is a derivative with Greek-mythology theming
Disclosure 2026-06-01 (Wiz Research)
Affected scope @redhat-cloud-services (npm)
Versions 32 packages / 96 malicious versions, published in a ~72-second automated burst on 2026-06-01
Cumulative downloads ~80,000 weekly across the affected scope
Initial access Compromised Red Hat employee GitHub account → existing GitHub Actions OIDC → npm publish
Trigger preinstall lifecycle hook in package.json
Payload ~4.2 MB obfuscated JavaScript; harvests AWS / GCP / Azure / K8s / Vault / GitHub / npm / CircleCI creds; explicit Harden-Runner evasion
Exfil destination (camouflage) https://api.anthropic.com:443/v1/api — fake path on real-vendor host; not Anthropic infrastructure
Internal markers spartan, miasma (Greek-mythology replacement for original Dune markers)
Worm primitive Steals npm token + republishes trojanized versions of every other package the victim can publish
Red Hat advisory RHSB-2026-006 (Red Hat Customer Portal)
Upstream tracking issue RedHatInsights/javascript-clients#492
Status Contained — malicious versions removed from npm; investigation ongoing
Attribution Unknown actor, distinct from TeamPCP — third documented copycat of the open-sourced Mini Shai-Hulud worm after TrapDoor and the deadcode09284814 typosquat wave

If you are affected

If @redhat-cloud-services/* was resolved or installed against a malicious 2026-06-01 version on any developer machine or CI runner:

playbooks/if-you-installed-a-bad-npm-package.mdplaybooks/rotating-cloud-credentials.mdmulti-cloud: rotate AWS, GCP, Azure access keys and any K8s / Vault tokens reachable from the affected host → playbooks/if-your-github-pat-leaked.md — every reachable GitHub PAT, npm token, and CircleCI token is in scope → Pin to a pre-2026-06-01 known-good version for every affected package and clear your npm/yarn/pnpm caches:

rm -rf ~/.npm/_cacache ~/.npm/_logs
rm -rf node_modules package-lock.json
npm install
# Verify your lockfile resolves to versions published before 2026-06-01

→ If you run a corporate npm mirror (Artifactory / Verdaccio / Sonatype): purge the malicious versions from your mirror's cache before letting developers re-install.

Prevention

prevention/npm-hardening.mdminimumReleaseAge would have blocked these versions for the 72-hour shake-out window during which they were detected and removed; ignore-scripts would have blocked the preinstall hook entirely → prevention/credential-hygiene.md — short-lived, narrowly-scoped cloud creds; no long-lived multi-cloud admin tokens in dev environments → prevention/agent-sandboxing.md — your AI coding agent shouldn't be able to reach api.anthropic.com from a CI runner that doesn't host the agent; an explicit egress allowlist on CI runners would have caught the camouflage exfil → Detect the camouflage primitive in your egress logs. Add an alert for any outbound HTTPS to api.anthropic.com from workloads that are not the AI tool itself — this catches Miasma and any future variant that picks a different AI-vendor host (api.openai.com, generativelanguage.googleapis.com, etc.) → Require signed commits + protected-branch review on .github/workflows/ — same defense as Megalodon; the GitHub Actions OIDC publish path is only as trustworthy as the source repo behind it → Subscribe to SafeDep / StepSecurity / Aikido / Socket supply-chain feeds — Miasma was named within 12 hours of first publish, but only because all four had agents watching the npm publish firehose

Sources