Miasma Supply Chain Attack
A newly discovered software supply chain attack campaign, dubbed Miasma, has compromised multiple @redhat-cloud-services npm packages. The operation is designed to harvest credentials and sensitive information from developer environments while deploying a self-propagating worm capable of spreading further through software development ecosystems.
The campaign closely mirrors the tactics previously associated with Mini Shai-Hulud, leveraging installation-time execution, credential theft, CI/CD compromise, encrypted data exfiltration, and mechanisms that enable downstream propagation.
Table of Contents
Attribution Remains Uncertain
The threat actor responsible for Miasma has not yet been conclusively identified. Attribution is complicated by the fact that TeamPCP, also known as Replicating Marauder, TGR-CRI-1135, and UNC6780, previously released the attack tools associated with the Shai-Hulud worm as open-source projects. This development has enabled other cybercriminal groups to replicate similar techniques, making definitive attribution significantly more difficult.
Compromised npm Packages
The following npm packages have been identified as affected:
@redhat-cloud-services/vulnerabilities-client
@redhat-cloud-services/tsc-transform-imports
@redhat-cloud-services/topological-inventory-client
@redhat-cloud-services/sources-client
@redhat-cloud-services/rule-components
@redhat-cloud-services/remediations-client
@redhat-cloud-services/rbac-client
Credential Harvesting Through Obfuscated Installation Logic
Security researchers discovered that the malicious packages contain an obfuscated preinstall hook designed to execute automatically during package installation. The malware targets a wide range of sensitive assets, including GitHub Actions secrets, npm authentication tokens, cloud credentials, Kubernetes and HashiCorp Vault secrets, SSH keys, Git credentials, and other confidential files stored on compromised systems.
As observed in earlier Mini Shai-Hulud campaigns, the malware incorporates encrypted exfiltration routines. Stolen information is transmitted to api.anthropic.com:443/v1/api, while GitHub serves as an alternative exfiltration channel. This dual-purpose strategy demonstrates an effort not only to steal credentials but also to weaponize them for further software supply chain compromise.
Encrypted data packages are committed through the GitHub API, and commit messages may contain the string:
'IfYouInvalidateThisTokenItWillNukeTheComputerOfTheOwner:'
Stealth Techniques and Propagation Mechanisms
The malware includes several measures intended to maximize persistence, evade detection, and expand access. One notable characteristic is the deliberate avoidance of execution on Russian-language systems, a behavior previously observed in the GlassWorm supply chain campaigns.
For npm environments, the malicious code interacts with OIDC token exchange and whoami endpoints, repackages software archives into updated tarballs, and signs modified artifacts using Sigstore. Stolen credentials are then exfiltrated to attacker-controlled public GitHub repositories carrying the description 'Miasma: The Spreading Blight.'
Investigators identified the earliest known commit containing this description on May 29, 2026, suggesting either the beginning of active operations or an initial testing phase around that date.
Within GitHub environments, the malware enumerates repositories accessible to compromised tokens, analyzes workflow definitions through GraphQL queries, and injects malicious workflows using the createCommitOnBranch mutation. This approach allows malicious changes to appear as verified and cryptographically signed commits.
Advanced Persistence and Privilege Escalation Features
Analysis revealed several additional capabilities embedded within the malware:
Attempts to escalate privileges by launching containers that bind-mount the host's /etc/sudoers.d directory and grant passwordless sudo access to CI runners.
Detection of endpoint security solutions including CrowdStrike, SentinelOne, Carbon Black, and StepSecurity Harden-Runner before initiating malicious activity.
Persistence mechanisms that inject a SessionStart hook into Anthropic Claude Code and create malicious tasks.json files configured with 'runOn': 'folderOpen' for Microsoft Visual Studio Code projects, ensuring execution during future development sessions.
Increased Focus on Cloud Identity Compromise
A major evolution in the Miasma variant is its expanded focus on cloud identity collection. New modules targeting Google Cloud Platform (GCP) and Microsoft Azure environments gather information about all cloud identities accessible from an infected machine.
Previous variants primarily concentrated on extracting secrets from cloud environments. The addition of identity-focused collectors indicates a strategic shift toward obtaining direct cloud access and exploiting privileged identities within cloud infrastructures.
Further complicating detection efforts, each infection generates a uniquely encrypted payload. This customization significantly hinders signature-based detection, malware tracking, and version correlation across incidents.
Initial Compromise and Supply Chain Infiltration
Available evidence suggests that the campaign originated through the compromise of a Red Hat employee's GitHub account. Investigators believe the account served as the initial infection point, enabling attackers to inject malicious code into affected packages.
The compromised account reportedly pushed malicious orphan commits into two Red Hat Insights repositories, bypassing established code review procedures and introducing the malicious payload into the software supply chain.
Incident Response and Remediation Guidance
Organizations that installed affected package versions should immediately isolate impacted systems, remove malicious packages, rotate all potentially exposed credentials, investigate GitHub and npm activity for signs of unauthorized access, and review environments for persistence mechanisms. Particular attention should be given to unauthorized modifications involving:
~/.claude/settings.json, .vscode/tasks.json, .github/workflows/codeql.yml, and .github/setup.js.
Strong access controls should also be enforced across development and cloud environments.
Because the malware establishes background execution capabilities and persistence within developer tools, simply uninstalling the affected npm packages or deleting the node_modules directory should not be considered sufficient remediation.
For CI/CD environments, affected workflow executions should be suspended immediately. Organizations should invalidate build artifacts created during the exposure period and thoroughly review whether releases, container images, npm packages, deployment artifacts, or other software components were generated after the malicious package was introduced into the environment.
