Miasma — @redhat-cloud-services npm scope compromised by Mini-Shai-Hulud-derived worm (June 2026)
TL;DR
On 2026-06-01, Wiz Research and others identified a supply-chain compromise of the @redhat-cloud-services npm scope — Red Hat's official client libraries used by the Hybrid Cloud Console, Insights, and OpenShift frontends. 32 packages / 96 malicious versions were published in a roughly 72-second automated burst (Aikido, Wiz), each carrying a preinstall hook that drops a ~4.2 MB obfuscated payload stealing AWS / GCP / Azure / Kubernetes / HashiCorp Vault / GitHub / npm / CircleCI credentials. Cumulative weekly downloads of the affected scope: ~80,000. The campaign — dubbed "Miasma: The Spreading Blight" — is a lightly reskinned descendant of the (Mini) Shai-Hulud worm that TeamPCP open-sourced on 2026-05-12, with Greek-mythology theming (spartan) replacing Dune references but the same self-propagation core, and new GCP/Azure identity collectors added. Notable IOC: the payload exfiltrates over HTTPS to a camouflage URL https://api.anthropic.com:443/v1/api — not Anthropic infrastructure, but a fake path on a real-vendor host chosen to blend into network logs at organizations using Anthropic. Initial access was a compromised Red Hat employee GitHub account → GitHub Actions OIDC token → npm publish (JFrog, Aikido). Red Hat published RHSB-2026-006; npm has removed the malicious versions.
Update 2026-06-11: On 2026-06-09–10, the Miasma worm source code was briefly open-sourced on GitHub via compromised developer accounts (repositories named "Miasma-Open-Source-Release"), mirroring what TeamPCP did with Mini Shai-Hulud on 2026-05-12. The full attack toolkit — covering npm/PyPI/RubyGems/JFrog/GitHub targeting and AI-tool configuration poisoning — is now public. SafeDep preserved artifacts before GitHub removed the repositories within hours. Mini Shai-Hulud going public spawned five documented copycat waves in 30 days; a sixth wave is expected imminently. Monitor supply-chain feeds closely and treat any unexpected outbound HTTPS to
api.anthropic.com,api.openai.com, or other AI-vendor hosts from non-AI workloads as a Miasma-family IOC — the camouflage primitive is now well-known. See the Hades Campaign advisory for the most recent copycat (June 8). Sources: SafeDep, BleepingComputer, The Register.
What happened
On 2026-06-01, Wiz Research detected malicious code in at least 32 package releases published under the @redhat-cloud-services npm scope — Red Hat's official frontend client libraries used by the OpenShift / Hybrid Cloud Console / Insights / Edge dashboards. The malicious releases included @redhat-cloud-services/chrome, @redhat-cloud-services/compliance-client, @redhat-cloud-services/frontend-components, and ~29 sibling client libraries. Across those 32 packages, 96 unique malicious versions were published in a ~72-second window, indicating fully automated publishing — the actor's tooling, not a sleepy human.
Attack flow
- Initial access — compromised Red Hat employee GitHub account. JFrog and Aikido converged on the conclusion that an employee's GitHub account was the foothold; the malicious npm publishes ran via the existing GitHub Actions OIDC token that the legitimate release workflow uses to talk to npm. The npm account itself was not separately phished — the source-repo trust boundary failed first. (Same shape as Megalodon's
@tiledesk/tiledesk-serverarm.) - Mass automated publishing. 96 versions / 32 packages / 72 seconds → strong signal of a scripted republish that walked the org's package list.
- Preinstall hook. Each malicious version's
package.jsonadds apreinstallscript that runs before dependency resolution completes. Anyone who rannpm installagainst an unpinned^x.y.zrange or alatesttag on 2026-06-01 executed the payload on their workstation or CI runner. - Stage-2 payload — ~4.2 MB obfuscated JavaScript. Once decoded, the payload is a multi-stage credential harvester. It enumerates AWS / GCP / Azure / Kubernetes / HashiCorp Vault / GitHub / npm / CircleCI credentials reachable from the host, explicitly attempts to bypass StepSecurity Harden-Runner, then exfiltrates harvested data over HTTPS to a camouflage URL
https://api.anthropic.com:443/v1/api— not Anthropic infrastructure, but the real host with a non-existent path, chosen because outbound HTTPS toapi.anthropic.comis a baseline-normal destination at most organizations that use Anthropic models and will not flag in egress logs (CyberSecurity News, StepSecurity). Because the path is non-existent, every exfil POST returns 4xx — but the request itself carries the exfiltrated payload in body/headers, and many security stacks log only response codes. - Worm component. The payload also attempts to use the stolen npm token to republish trojanized versions of every other package the victim can publish to, the same self-propagation primitive as the original Shai-Hulud, Mini Shai-Hulud, and TrapDoor waves.
What's new vs. plain Mini Shai-Hulud
Miasma is largely the open-sourced Mini Shai-Hulud worm with cosmetic and operational changes (JFrog research, Wiz), but two changes matter:
- Greek-mythology theming replaces Dune. Internal markers / function names now use
spartan/miasmainstead ofkralizec/phibian/shai-hulud. This breaks blue-team yara rules and SIEM queries that grep for the original Dune string set. - New cloud-identity collectors. Where the original Mini Shai-Hulud focused on AWS + GitHub + npm, Miasma added explicit GCP and Azure identity collectors that enumerate every cloud identity the infected machine has access to. This squarely targets cloud-frontend dev environments — which is exactly the audience of
@redhat-cloud-services(OpenShift / RHEL / Insights dashboards run with broad multi-cloud IAM grants). api.anthropic.comcamouflage exfil. The first observed wave to disguise exfil traffic as AI-vendor API calls rather than the usual GitHub Gist / direct VPS / disposable-tunnel C2. Expect this technique to spread to other waves —api.openai.com,api.anthropic.com,generativelanguage.googleapis.com,bedrock-runtime.us-east-1.amazonaws.comare all "AI-coding-tool baseline-normal" destinations now.
Attribution
This is almost certainly not TeamPCP themselves. TeamPCP open-sourced the Mini Shai-Hulud worm on 2026-05-12 with the message "Shai-Hulud: Open Sourcing The Carnage", and Miasma is what one would expect a competent second actor to ship two weeks later: original payload, new theming, expanded cloud-identity collection, fresh C2 disguise. This is the third worm-source-public copycat wave sweep-tracked so far:
- TrapDoor (2026-05-22) — different actor, cross-ecosystem (npm + PyPI + Crates.io),
.cursorrules/CLAUDE.mdpoisoning. - Shai-Hulud copycat wave (2026-05-18) —
deadcode09284814typosquats, near-verbatim worm clones with*.lhr.lifeC2. - Miasma (2026-06-01) — first to land on a major legitimate npm scope at TeamPCP scale rather than typosquats, with cloud-identity expansion and AI-vendor camouflage exfil.
The blast radius is smaller than the TanStack/Mistral wave (~80K weekly downloads vs. 518M+), but the target scope alignment is sharper — every consumer of @redhat-cloud-services is, by definition, a multi-cloud IAM holder.
Am I affected?
Check whether any compromised version reached your lockfile
# Any version of the scope installed in the install window
npm ls --all 2>/dev/null | grep '@redhat-cloud-services/'
# Specific packages confirmed compromised (sample; see Red Hat RHSB-2026-006 for the full list)
for p in chrome compliance-client frontend-components rbac-client host-inventory-client \
notifications-client patches-client sources-client subscriptions-client \
types config-utils-frontend frontend-components-config-utilities; do
npm ls "@redhat-cloud-services/$p" 2>/dev/null
done
# Any install activity on 2026-06-01 (the window of malicious-version availability)
grep '@redhat-cloud-services' ~/.npm/_logs/*.log 2>/dev/null | grep '2026-06-01'
Check your CI / Docker images
# Re-build any image whose lockfile or layer was created on 2026-06-01 against the
# scope's malicious versions. Pull the affected versions out of any registry cache:
docker images --digests | grep -i redhat-cloud-services
Egress check — the camouflage IOC
If you have CI / endpoint egress logs, search for outbound HTTPS to api.anthropic.com from non-AI workloads on or after 2026-06-01, especially with response codes that are not 200 (Anthropic's API does not have a /v1/api path, so every exfil request will be 4xx):
# Pseudo-pattern; adapt to your egress logs (CloudFlare/Cloudflare Logpush/AWS VPC flow logs/etc.)
grep -E 'api\.anthropic\.com[^ ]*/v1/api' /var/log/egress/* 2>/dev/null
Hits from a build/CI runner that doesn't talk to Claude are high-confidence Miasma exfil. Hits from a developer workstation that does normally talk to Claude need to be cross-correlated with the timestamp window.
IOCs
| Type | Value |
|---|---|
| Campaign | Miasma (Wiz naming; "Miasma: The Spreading Blight") |
| Malware family | (Mini) Shai-Hulud — open-sourced by TeamPCP 2026-05-12; Miasma is a derivative with Greek-mythology theming |
| Disclosure | 2026-06-01 (Wiz Research) |
| Affected scope | @redhat-cloud-services (npm) |
| Versions | 32 packages / 96 malicious versions, published in a ~72-second automated burst on 2026-06-01 |
| Cumulative downloads | ~80,000 weekly across the affected scope |
| Initial access | Compromised Red Hat employee GitHub account → existing GitHub Actions OIDC → npm publish |
| Trigger | preinstall lifecycle hook in package.json |
| Payload | ~4.2 MB obfuscated JavaScript; harvests AWS / GCP / Azure / K8s / Vault / GitHub / npm / CircleCI creds; explicit Harden-Runner evasion |
| Exfil destination (camouflage) | https://api.anthropic.com:443/v1/api — fake path on real-vendor host; not Anthropic infrastructure |
| Internal markers | spartan, miasma (Greek-mythology replacement for original Dune markers) |
| Worm primitive | Steals npm token + republishes trojanized versions of every other package the victim can publish |
| Red Hat advisory | RHSB-2026-006 (Red Hat Customer Portal) |
| Upstream tracking issue | RedHatInsights/javascript-clients#492 |
| Status | Contained — malicious versions removed from npm; investigation ongoing |
| Attribution | Unknown actor, distinct from TeamPCP — third documented copycat of the open-sourced Mini Shai-Hulud worm after TrapDoor and the deadcode09284814 typosquat wave |
If you are affected
If @redhat-cloud-services/* was resolved or installed against a malicious 2026-06-01 version on any developer machine or CI runner:
→ playbooks/if-you-installed-a-bad-npm-package.md → playbooks/rotating-cloud-credentials.md — multi-cloud: rotate AWS, GCP, Azure access keys and any K8s / Vault tokens reachable from the affected host → playbooks/if-your-github-pat-leaked.md — every reachable GitHub PAT, npm token, and CircleCI token is in scope → Pin to a pre-2026-06-01 known-good version for every affected package and clear your npm/yarn/pnpm caches:
rm -rf ~/.npm/_cacache ~/.npm/_logs
rm -rf node_modules package-lock.json
npm install
# Verify your lockfile resolves to versions published before 2026-06-01
→ If you run a corporate npm mirror (Artifactory / Verdaccio / Sonatype): purge the malicious versions from your mirror's cache before letting developers re-install.
Prevention
→ prevention/npm-hardening.md — minimumReleaseAge would have blocked these versions for the 72-hour shake-out window during which they were detected and removed; ignore-scripts would have blocked the preinstall hook entirely
→ prevention/credential-hygiene.md — short-lived, narrowly-scoped cloud creds; no long-lived multi-cloud admin tokens in dev environments
→ prevention/agent-sandboxing.md — your AI coding agent shouldn't be able to reach api.anthropic.com from a CI runner that doesn't host the agent; an explicit egress allowlist on CI runners would have caught the camouflage exfil
→ Detect the camouflage primitive in your egress logs. Add an alert for any outbound HTTPS to api.anthropic.com from workloads that are not the AI tool itself — this catches Miasma and any future variant that picks a different AI-vendor host (api.openai.com, generativelanguage.googleapis.com, etc.)
→ Require signed commits + protected-branch review on .github/workflows/ — same defense as Megalodon; the GitHub Actions OIDC publish path is only as trustworthy as the source repo behind it
→ Subscribe to SafeDep / StepSecurity / Aikido / Socket supply-chain feeds — Miasma was named within 12 hours of first publish, but only because all four had agents watching the npm publish firehose
Sources
- Wiz Research — Miasma: Supply Chain Attack Targeting RedHat npm Packages — canonical first disclosure, named the campaign, 32 packages / 96 versions / 72-second burst
- JFrog Security Research — Shai-Hulud — Miasma: The Spreading Blight Hits Red Hat npm Packages — payload reverse-engineering, Greek-mythology marker, GCP/Azure collector additions, employee-account attribution
- Aikido — Red Hat npm Packages Compromised to Spread a Credential-Stealing Worm — automation evidence (72-second window), GitHub Actions OIDC publish path
- StepSecurity — Multiple redhat-cloud-services npm Packages compromised — package list, Harden-Runner-evasion call-out,
api.anthropic.comcamouflage IOC - Snyk — Miasma Attack Hits Red Hat npm Packages — payload taxonomy, AI-supply-chain framing
- The Hacker News — Miasma Supply Chain Attack Compromises Red Hat npm Packages with Credential-Stealing Worm — mainstream coverage, payload summary
- Cybersecurity News — Multiple Red Hat Cloud Services npm Packages Compromised to Deploy Credential-Stealing Malware —
api.anthropic.com/v1/apiexfil endpoint, Mini-Shai-Hulud-family attribution - The Register — Shai-Hulud malware worms Red Hat npm package versions downloaded 80K times a week — ~80K weekly download figure, worm-propagation framing
- BleepingComputer — Red Hat npm packages compromised to steal developer credentials — confirmed credential-theft scope
- Mend — Miasma: Red Hat Cloud Services npm Packages Hit by a Mini Shai-Hulud-Style Campaign — multi-cloud-stealer framing
- Orca Security — Red Hat npm Packages Compromised in Supply-Chain Attack Spreading Credential-Stealing Worm — preinstall-hook flow
- Sonatype — Red Hat Cloud Services npm Packages Hijacked — Sonatype Firewall detection
- OX Security — New Shai-Hulud hits npm: @redhat-cloud-services Compromised — Shai-Hulud-family lineage
- Security Boulevard — Miasma: Red Hat Cloud Services npm Packages Hit by a Mini Shai-Hulud-Style Campaign — aggregator summary
- Red Hat — RHSB-2026-006: Supply chain compromise of @redhat-cloud-services npm packages — official vendor advisory ID
- RedHatInsights/javascript-clients#492 — Malicious npm releases detected across
@redhat-cloud-services/scope — upstream tracking issue with confirmed package-version list