"This is effectively a Mini Shai-Hulud campaign: it uses the same core tactics of install-time execution, credential harvesting, CI/CD targeting, encrypted exfiltration, and potential downstream propagation," Socket said.
What Miasma is doing on developer machines
Security researchers report a new supply-chain campaign, codenamed Miasma, that has compromised multiple @redhat-cloud-services npm packages to steal credentials and deliver a self-propagating worm. Per analyses by Aikido Security, JFrog, Microsoft, OX Security, SafeDep, StepSecurity, and Wiz, the malicious packages include an obfuscated preinstall hook designed to collect GitHub Actions secrets, npm tokens, cloud credentials, Kubernetes and Vault material, SSH keys, Git credentials and other sensitive files.
The malware contains encrypted exfiltration logic that transmits stolen data to api.anthropic[.]com:443/v1/api and also uses GitHub as a fallback channel. Socket said the malware "commits the encrypted result envelope through the GitHub API" and noted commit messages can include: IfYouInvalidateThisTokenItWillNukeTheComputerOfTheOwner:<token>.
Compromised @redhat-cloud-services packages and patient zero evidence
- @redhat-cloud-services/vulnerabilities-client
- @redhat-cloud-services/tsc-transform-imports
- @redhat-cloud-services/topological-inventory-client
- @redhat-cloud-services/sources-client
- @redhat-cloud-services/rule-components
- @redhat-cloud-services/remediations-client
- @redhat-cloud-services/rbac-client
Researchers state evidence suggests the compromise began when a Red Hat employee's GitHub account was abused to inject the payload into packages. That account reportedly pushed malicious orphan commits to two RedHatInsights repositories, bypassing code review.
How the malware weaponizes CI/CD and developer tooling
SafeDep and other analysts documented that, for npm, the payload calls the OIDC token exchange and whoami endpoints, repackages a tarball (updateTarball, package-updated.tgz), and signs artifacts through Sigstore. The malware enumerates repositories the token can write to, reads action.yml/action.yaml via GraphQL, and uses the createCommitOnBranch GraphQL mutation to commit workflows so the changes appear as verified, signed commits.
The malware attempts privilege escalation by launching a container that bind-mounts the host /etc/sudoers.d and grants the CI runner passwordless sudo. It also checks for endpoint protection products from CrowdStrike, SentinelOne, Carbon Black, and StepSecurity Harden-Runner before proceeding with malicious actions.
Persistence, evasion, and indications of propagation
Analysts say the malware was modified from prior Mini Shai-Hulud waves. Wiz reported new collectors focused on cloud identities — specifically GCP and Azure collectors that enumerate all identities available to the infected host — signaling a stronger focus on gaining cloud access rather than just extracting secrets. Unlike earlier variants, this malware generates a uniquely encrypted payload per infection, complicating detection and tracking.
Persistence mechanisms include injecting a SessionStart hook into Anthropic Claude Code and adding a tasks.json with "runOn": "folderOpen" for Microsoft Visual Studio Code projects so the malware launches during sessions. Stolen credentials are exfiltrated to attacker-created public GitHub repositories, each carrying the description "Miasma: The Spreading Blight." OX Security noted the first commit containing that string appeared on May 29, 2026.
The malware also avoids execution on Russian-language systems, a behavior seen in prior campaigns such as GlassWorm, according to the reporting.
Attribution complications and the role of open-sourced tooling
Exactly who is responsible is presently unknown. Socket and other analysts point out that TeamPCP — an actor tied to earlier Shai-Hulud activity — published attack tools linked to the Shai-Hulud worm, which opens the door for other operators to reuse the techniques and makes definitive attribution harder.
What this means for CI/CD operators, developers, and enterprise responders
Researchers and responders recommend immediate, specific actions: isolate hosts that have installed affected package versions; remove the malicious versions; rotate exposed credentials; and review for suspicious GitHub and npm activity. The reporting warns that uninstalling the npm package or deleting node_modules "should not be considered sufficient cleanup," Socket said, because of background execution and developer-tool persistence mechanisms.
For CI/CD systems, analysts advise suspending affected workflow runs, invalidating build artifacts produced during the exposure window, and reviewing whether any release, container image, npm package, or deployment artifact was created after the malicious package was installed. Investigators should audit for persistence artifacts involving changes to configuration files such as ~/.claude/settings.json, .vscode/tasks.json, .github/workflows/codeql.yml, and .github/setup.js, and enforce strong access controls.
The Miasma wave combines credential theft, CI/CD abuse, artifact signing, and developer-tool persistence into a single campaign. With the first public trace recorded on May 29, 2026 and multiple analyses converging on the same technical patterns, organizations that use the listed @redhat-cloud-services packages should treat the compromise as active and audit broadly for downstream contamination.
Source: The Hacker News — Miasma Supply Chain Attack Compromises Red Hat npm Packages




