A fresh supply chain attack campaign known as Miasma has targeted @redhat-cloud-services packages. The attackers compromised these packages to steal sensitive information like credentials and secrets from developers’ machines while also deploying a worm designed to spread on its own.
“Think of this as a smaller-scale version of the Shai-Hulud attacks: it relies on identical core strategies such as running during installation, gathering credentials, targeting CI/CD pipelines, exfiltrating encrypted data, and potentially spreading further,” Socket explained.
The identity of the attackers remains unclear. This is largely due to the fact that TeamPCP, a well-known cybercrime group, previously open-sourced the tools used in the Shai-Hulud worm. This move has allowed other malicious parties to replicate similar attacks and has complicated efforts to definitively trace the source.
Below are the names of several affected packages:
- @redhat-cloud-services/vulnerabilities-client
- @redhat-cloud-services/tsc-transform-imports
- @redhat-cloud-services/topological-inventory-client
- @redhat-cloud-services/sources-client
- @redhat-cloud-services/rule-components
- @redhat-cloud-services/remediations-client
- @redhat-cloud-services/rbac-client
Investigations carried out by Aikido Security, JFrog, Microsoft, OX Security, SafeDep, StepSecurity, and Wiz reveal that the malicious npm packages include a hidden, obfuscated preinstall script. Its purpose is to gather GitHub Actions secrets, npm tokens, cloud credentials, Kubernetes and Vault data, SSH keys, Git credentials, and other sensitive files.
Similar to earlier Mini Shai-Hulud incidents, the malware features logic for exfiltrating stolen data through encrypted channels to “api.anthropic[.]com:443/v1/api” and uses GitHub as a backup. This shows that the attacker aims not only to steal credentials but also to exploit them and continue infecting the software supply chain.
“It pushes the encrypted result via the GitHub API,” Socket noted. “The commit message may include the phrase: IfYouInvalidateThisTokenItWillNukeTheComputerOfTheOwner:
One particularly interesting tactic employed by the malware is its deliberate refusal to execute on systems set to Russian, a behavior also seen in previous GlassWorm supply chain campaigns.
“For npm, the payload initiates the OIDC token exchange, hits the whoami endpoint, rebuilds a tarball (updateTarball, package-updated.tgz), and signs the artifact using Sigstore,” SafeDep explained. “Stolen credentials are sent to attacker-created public GitHub repositories, each bearing the label Miasma: The Spreading Blight.”
OX Security discovered that the earliest commit containing the “Miasma: The Spreading Blight” string surfaced on May 29, 2026, suggesting that this variant was either operational since then or the threat actor began testing around that date.
On GitHub, the malware identifies repositories accessible to the token, fetches action.yml/action.yaml through GraphQL, and commits a new workflow via the createCommitOnBranch mutation, making the commit appear as a verified, signed change. Additional actions performed by the malware include:
- Launching a container that bind-mounts the host /etc/sudoers.d directory to gain passwordless sudo access for the CI runner, thereby escalating privileges
- Scanning for endpoint protection tools from CrowdStrike, SentinelOne, Carbon Black, and StepSecurity Harden-Runner before proceeding with its malicious routines
- Ensuring persistence by adding a SessionStart hook to the Anthropic Claude Code configuration and inserting a tasks.json entry with “runOn”: “folderOpen” for Microsoft Visual Studio Code projects, so that the malware launches automatically whenever a session begins
“A key difference in this latest variant is the introduction of new data collectors aimed at cloud identities,” Wiz researchers stated. “New collectors specifically targeting GCP and Azure identities have been added, enabling the malware to gather every identity the infected machine can access. While earlier versions mainly focused on extracting secrets, this updated variant signals a shift in attacker focus toward obtaining and leveraging direct cloud access.”
In contrast to previous iterations, this malware also produces a uniquely encrypted payload for each separate infection, which makes detecting and tracking specific versions considerably more difficult.
Available evidence indicates that the compromise of a Red Hat employee’s GitHub account served as the initial point of entry for injecting the payload into these packages. The hijacked account reportedly pushed malicious orphan commits directly to two RedHatInsights repositories, circumventing the standard code review process.
Stakeholders are advised to isolate any hosts that have installed the affected versions, uninstall the compromised packages, rotate all exposed credentials, check for signs of unusual GitHub or npm activity, scan for persistence artifacts involving configuration file changes (~/.claude/settings.json, .vscode/tasks.json, .github/workflows/codeql.yml, .github/setup.js), and enforce stricter access control policies.
“Since the malware incorporates background execution and potential persistence mechanisms through developer tools, simply uninstalling the npm package or deleting the node_modules folder is not a thorough cleanup,” Socket cautioned.
“For CI/CD environments, pause any impacted workflow runs, invalidate all build artifacts generated during the exposure period, and investigate whether any releases, container images, npm packages, or deployment artifacts were produced after the malicious package was installed.
