Supply Chain Compromise, RedHat, npm, Mini Shai-Hulud, Miasma, Malware
Source Material: RedHat | Technology: Node.js, npm, CI/CD, GitHub Actions | Targeted Industries: Software Development, DevOps, Opportunistic
Executive Summary
On June 1, 2026, a significant supply-chain attack compromised at least 32 official packages under the @redhat-cloud-services npm namespace. A compromised Red Hat employee GitHub account facilitated the breach. The attacker used this access to push malicious orphan commits to multiple repositories. This tactic effectively bypassed standard peer reviews. These commits abused GitHub Actions OpenID Connect (OIDC) trusted publishing to upload trojanized package versions directly to the public npm registry.
The malicious packages execute an obfuscated JavaScript payload during the preinstall phase, deploying a credential-stealing worm known as “Miasma.” This malware is a variant of the Mini Shai-Hulud framework attributed to the threat actor TeamPCP. It aggressively targets developer workstations and CI/CD environments, scraping credentials across major cloud providers (AWS, Azure, GCP), CI platforms, Kubernetes clusters, HashiCorp Vault, and local password managers. The worm is also self-propagating, using harvested npm tokens to autonomously republish backdoored packages. Immediate credential rotation and forensic investigation are required for any organization that installed the affected versions during the exposure window.
Threat Overview and Strategic Impact
The Miasma worm is self-propagating and harvests credentials at scale. The compromised packages average roughly 80,000 weekly downloads. This massive reach exposes external organizations, independent developers, and automated build pipelines integrating with Red Hat cloud services.
The attack chain initiates automatically upon executing npm install. The malicious preinstall hook triggers a multi-stage loader that executes the credential stealer using a downloaded Bun runtime (v1.3.13), effectively bypassing standard Node.js monitoring. The malware extracts masked secrets directly from the memory of GitHub Actions Runner.Worker processes, bypassing standard masking mechanisms. Notably, this variant introduces new collectors for GCP and Azure to enumerate all accessible cloud identities, shifting the focus from simple credential scraping to broader cloud environment mapping.
Exfiltration occurs via the GitHub API. The stolen data is hybrid-encrypted and pushed to attacker-controlled public repositories disguised with descriptions such as “Miasma: The Spreading Blight” or reversed strings like “niagA oG eW ereH :duluH-iahS”. For persistence and propagation, the malware infects a wide array of AI developer agent configurations (including Claude, Codex, Gemini, Copilot, Kiro, and OpenCode) by injecting malicious hooks into settings.json files and VS Code’s .vscode/tasks.json. Furthermore, the worm actively searches for writable GitHub repositories to infect language-specific build files (e.g., Makefile, package.json, Dockerfile, setup.py) and overwrites existing GitHub Actions workflows to autonomously execute the stealer on future pushes.
Security Hardening and Recommendations
- Containment First: Do not simply revoke credentials immediately. The malware may include a dead man’s switch that monitors stolen GitHub tokens and can execute destructive commands (e.g., wiping the home directory via rm -rf ~/) if the token is invalidated. Remove persistence mechanisms before rotating tokens.
- Audit Dependencies: Search lockfiles (package-lock.json, yarn.lock) and build environments for affected @redhat-cloud-services versions (e.g., [email protected], [email protected], [email protected], etc.).
- Remove Persistence: Inspect .vscode/tasks.json and ~/.claude/settings.json for unexpected hooks. Search for systemd or launchctl token-monitor services (e.g., gh-token-monitor.service).
- Credential Rotation: Once the system is clean, rotate all potentially exposed secrets, including AWS/GCP/Azure keys, GitHub PATs, npm tokens, Vault tokens, and SSH keys.
- Preventative Measures: Pin npm OIDC trusted publishers to specific workflows on the main branch, restrict id-token: write permissions, and configure dependency tools to ignore scripts (–ignore-scripts) when feasible.
Detection Strategy
Detection efforts should focus on identifying abnormal child processes spawned during dependency installation and unusual outbound connections to GitHub APIs from build servers.
- Monitor for the creation of temporary JavaScript files (e.g., /tmp/p<random>.js) and the execution of the Bun runtime (bun) initiated by node index.js during npm installs.
- Analyze CI/CD runner memory for unauthorized memory reads against the Runner.Worker process.
- Audit GitHub repository activity for unauthorized branch creation (e.g., chore/add-codeql-static-analysis), unexpected OIDC token minting events, and commits containing the prefix oidc-.
How Deepwatch Protects Our Customers
Deepwatch Guardians are continuously monitoring customer environments for suspicious and malicious activity. The Threat Intel team is actively analyzing intelligence on emerging supply chain threats and integrating high-fidelity indicators into our detections. Our Threat Hunters periodically conduct threat hunts to identify suspicious activity in customer environments.
Relevant Detections
Please visit Security Center to access the relevant detections for this activity.
Threat Hunting Leads
- Hunt for instances of index.js with sizes exceeding 4 MB in node_modules/@redhat-cloud-services.
- Hunt for outbound HTTP requests from CI runners to GitHub APIs using the spoofed user agent python-requests/2.31.0.
- Review runner telemetry for attempts to read /proc/<pid>/mem.
- Monitor GitHub API query logs for the specific dead-drop resolver strings firedalazer or thebeautifulmarchoftime.
- Look for unexpected creation of .github/setup.js or _index.js across internal repositories, as well as unauthorized modifications to build files like Makefile or package.json.
- Monitor for anomalous DNS queries to api.anthropic.com, which the malware uses as a decoy Command and Control (C2) domain.
- Search memory and logs for the string IfYouInvalidateThisTokenItWillNukeTheComputerOfTheOwner, which is associated with the malware’s destructive token monitoring logic (a dead-man switch designed to wipe the machine if the attacker detects a stolen token has been revoked).
Technical Artifacts
Please visit Security Center to access the associated technical artifacts.
Threat Object Mapping
Intrusion Set:
- TeamPCP (or Miasma copycat)
Attack Pattern (MITRE ATT&CK):
| Tactic | Technique | Technique ID | Associated Threat Activity |
| Initial Access | Supply Chain Compromise | T1195.001 | Malicious npm packages via OIDC abuse |
| Execution | Command and Scripting Interpreter: JavaScript | T1059.007 | Bun and Node.js execution of payload |
| Persistence | Create or Modify System Process: Systemd Service | T1543.002 | Dead-man switch / token monitor service |
| Credential Access | Unsecured Credentials: Cloud Instance Metadata API | T1552.005 | Scraping AWS IMDSv2 |
| Exfiltration | Exfiltration to Code Repository | T1567.001 | Committing data to public GitHub repositories |
Vulnerabilities:
- N/A (Supply chain compromise via stolen credentials/OIDC bypass, not a specific CVE)
Malware/Tool:
- Miasma / Mini Shai-Hulud / TeamPCPCloudStealer
Additional Sources
- Red Hat npm Packages Compromised to Spread a Credential-Stealing Worm
- CSA-260636 TeamPCP Compromises Multiple npm and PyPI Packages, Delivers New TeamPCPCloudStealer Variants
- Red Hat npm packages compromised in new Mini Shai-Hulud malware wave
- Miasma: Red Hat Cloud Services npm Packages Hit by a Mini Shai-Hulud-Style Campaign
- Red Hat npm Packages Compromised in Supply-Chain Attack Spreading Credential-Stealing Worm
- Mini Shai-Hulud Supply-Chain Compromise of @redhat-cloud-services npm Packages via GitHub Actions OIDC Abuse
- Red Hat Cloud Services Package Compromise
- Red Hat Cloud Services npm Packages Hijacked
- Multiple redhat-cloud-services npm Packages compromised
- Miasma: Supply Chain Attack Targeting RedHat npm Packages
Share