A new Mini Shai-Hulud supply chain attack campaign, codenamed Miasma, has compromised @redhat-cloud-services packages to steal credentials and secrets from developer machines and deliver a self-propagating worm.
“This is effectively a Mini Shai-Hulud campaign: it uses the same core tactics of install-time execution, credential harvesting, CI/CD targeting, encrypted exfiltration, and potential downstream propagation,” Socket said.
Exactly who is behind the attack activity is presently unknown given that TeamPCP, an infamous cybercrime group, has open-sourced the attack tools linked to the Shai-Hulud worm, opening the door for other threat actors to pull off similar attacks and making definitive attribution harder.
The names of some of the affected packages are listed below –
- @redhat-cloud-services/vulnerabilities-client
- @redhat-cloud-services/tsc-transform-imports
- @redhat-cloud-services/topological-inventory-client
- @redhat-cloud-services/sources-client
- @redhat-cloud-services/rule-components
- @redhat-cloud-services/remediations-client
- @redhat-cloud-services/rbac-client
Per analyses from Aikido Security, JFrog, Microsoft, OX Security, SafeDep, StepSecurity, and Wiz, the npm packages contain an obfuscated preinstall hook that’s designed to collect GitHub Actions secrets, npm tokens, cloud credentials, Kubernetes and Vault material, SSH keys, Git credentials, and other sensitive files.
Like observed in prior Mini Shai-Hulud waves, the malware also contains encrypted exfiltration logic that transmits the data to “api.anthropic[.]com:443/v1/api” and uses GitHub as a fallback mechanism. This indicates attempts made by the attacker to both steal credentials and weaponize them to further poison the software supply chain.
“It commits the encrypted result envelope through the GitHub API,” Socket said. “The commit message can include: IfYouInvalidateThisTokenItWillNukeTheComputerOfTheOwner:
Another noteworthy step carried out by the malware is to avoid execution on Russian-language systems, a pattern also observed in the GlassWorm supply chain campaigns.
“For npm, the payload calls the OIDC token exchange and whoami endpoints, repackages a tarball (updateTarball, package-updated.tgz), and signs the artifact through Sigstore,” SafeDep said. “Stolen credentials exfiltrate to attacker-created public GitHub repositories, each carrying the description Miasma: The Spreading Blight.”
The first commit containing the “Miasma: The Spreading Blight” string appeared on May 29, 2026, OX Security noted, indicating that either this variant was active since then, or the threat actor started testing around that time.
As for GitHub, the malware enumerates repositories the token can write to, reads action.yml/action.yaml via GraphQL, and commits a workflow through the createCommitOnBranch mutation so that the commit appears as a verified, signed change. Other actions carried out by the malware are listed below –
- Attempt privilege escalation by launching a container that bind-mounts the host /etc/sudoers.d and grants the CI runner passwordless sudo
- Check for endpoint protection from CrowdStrike, SentinelOne, Carbon Black, and StepSecurity Harden-Runner before commencing the malicious actions
- Establish persistence by injecting a SessionStart hook to Anthropic Claude Code and a tasks.json with “runOn”: “folderOpen” for Microsoft Visual Studio Code projects so that the malware is automatically launched during every session
“One of the main changes in this new variant is the addition of new data collectors focused on cloud identities,” Wiz researchers said. “Specifically, collectors for GCP and Azure identities were added that collect all identities the infected machine has access to. While previous versions of the malware primarily focused on extracting secrets from these environments, this variant suggests an increased attacker focus on gaining and leveraging access to the cloud itself.
Unlike previous versions, the malware has also been found to generate a uniquely encrypted payload for each infection, thereby making detection and version tracking significantly more challenging.
Evidence suggests that the compromise of a Red Hat employee’s GitHub account was the patient zero that was used to inject the payload into these packages. The compromised account is said to have pushed malicious orphan commits to two RedHatInsights repositories, bypassing code review.
It’s recommended to isolate hosts that have installed the affected versions, remove the malicious versions, rotate exposed credentials, review for any signs of suspicious GitHub or npm activity, audit the environment for persistence artifacts that involve changes to configuration files (~/.claude/settings.json, .vscode/tasks.json, .github/workflows/codeql.yml, .github/setup.js), and enforce strong access controls.
“Because the malware includes background execution and potential developer-tool persistence mechanisms, uninstalling the npm package or deleting node_modules should not be considered sufficient cleanup,” Socket explained.
“For CI/CD systems, suspend affected workflow runs, invalidate build artifacts produced during the exposure window, and review whether any release, container image, npm package, or deployment artifact was created after the malicious package was installed.”
