Feed
CriticalPublished 1 Jun 202632 packages · 95 versions

Miasma: @redhat-cloud-services Mini Shai-Hulud worm compromises 32 npm packages in 72 seconds

Summary

On 2026-06-01 an attacker published malicious versions of 32 @redhat-cloud-services/* npm packages in a 72-second window. The "Miasma" payload — a reskinned Mini Shai-Hulud worm — drops a preinstall script that runs a Bun-loaded credential stealer, harvests AWS/GCP/Azure/Kubernetes/Vault/GitHub/npm tokens, and exfiltrates to attacker-controlled GitHub repos tagged Miasma: The Spreading Blight.

wormcredential-theftci-cd-compromisemaintainer-takeoverobfuscationaccount-takeover
Threat actor
TeamPCP
Detected by
Wiz · ReversingLabs · JFrog · StepSecurity · Snyk · Mend · Aikido · SafeDep
Also known as
Miasma · Miasma: The Spreading Blight · Mini Shai-Hulud
Ecosystems
npm
Packages tracked
32

What happened

On 2026-06-01, Wiz Research observed a single attacker publish 32 malicious versions across 32 @redhat-cloud-services/* npm packages inside a 72-second window. ReversingLabs and JFrog independently confirmed the burst. Each malicious version is sandwiched between two clean releases — e.g. @redhat-cloud-services/frontend-components-utilities has compromised 7.4.1, 7.4.2, 7.4.4 published alongside benign versions, making "pin to latest" a brittle remediation. In total 96 versions across 32 packages were poisoned, with the affected set cumulatively pulling ~117k downloads/week and ~9.8M downloads lifetime.

The attack vector was a compromised Red Hat employee GitHub account, used to push orphan commits directly to two RedHatInsights repositories and to trigger GitHub Actions OIDC publish to npm — bypassing code review entirely. The Red Hat npm scope token itself was not stolen; this was a CI/CD-trust compromise, the same class of bug as the 2026-05-11 TanStack burst but executed against a different organisation.

Payload — "Miasma: The Spreading Blight"

Each malicious tarball ships a preinstall hook that runs immediately on npm install. The hook decrypts and writes two artefacts: _b (a ~898-byte Bun-runtime bootstrapper) and _p (a ~620 KB credential stealer). The payload is a lightly-reskinned descendant of the Mini Shai-Hulud worm that TeamPCP open-sourced in late April 2026 — same Bun-runtime architecture and same stealer modules used in the SAP @cap-js (April), TanStack (2026-05-11), @antv (2026-05-19) and durabletask (2026-05-19) compromises, plus new GCP/Azure identity collectors that enumerate every cloud identity the infected host can assume.

The stealer encrypts each exfil envelope with a per-session AES-256-GCM key, RSA-OAEP-wraps the key with the attacker public key, and POSTs to https://api.anthropic.com:443/v1/api (a decoy hostname encoded in the payload) as its primary channel. The GitHub-API fallback channel commits the same envelope as a file to attacker-owned public repos and labels each victim repo with the description Miasma: The Spreading Blight — IOC table samples include the AES-128-GCM keys fe0d71d57ecf4fa0a433185bf59a03f5 and f5e5dca9b725ec18514c4b322ed35d2b. One commit message variant taunts the victim: IfYouInvalidateThisTokenItWillNukeTheComputerOfTheOwner:<token>.

Worm behaviour

After exfiltration the stealer enumerates the npm scopes the stolen publish tokens can write to, re-uses the same preinstall structure to publish further malicious versions, and registers a new attacker GitHub repo for each victim — the worm therefore self-spreads via the same trust path that TeamPCP used in the TanStack burst. StepSecurity, Snyk, Mend, ReversingLabs and JFrog all flagged the campaign within hours; npm pulled most malicious versions the same day, but cached copies in CI images, Artifactory mirrors and lockfiles remain in scope for audit.

Affected packages (32)

  • npm@redhat-cloud-services/chrome
    2.3.12.3.22.3.4
  • npm@redhat-cloud-services/compliance-client
    4.0.34.0.44.0.6
  • npm@redhat-cloud-services/config-manager-client
    5.0.45.0.55.0.7
  • npm@redhat-cloud-services/entitlements-client
    4.0.114.0.124.0.14
  • npm@redhat-cloud-services/eslint-config-redhat-cloud-services
    3.2.13.2.23.2.4
  • npm@redhat-cloud-services/frontend-components
    7.7.27.7.37.7.5
  • npm@redhat-cloud-services/frontend-components-advisor-components
    3.8.23.8.43.8.6
  • npm@redhat-cloud-services/frontend-components-config
    6.11.36.11.46.11.6
  • npm@redhat-cloud-services/frontend-components-config-utilities
    4.11.24.11.34.11.5
  • npm@redhat-cloud-services/frontend-components-notifications
    6.9.26.9.36.9.5
  • npm@redhat-cloud-services/frontend-components-remediations
    4.9.24.9.34.9.5
  • npm@redhat-cloud-services/frontend-components-testing
    1.2.11.2.21.2.4
  • npm@redhat-cloud-services/frontend-components-translations
    4.4.14.4.24.4.4
  • npm@redhat-cloud-services/frontend-components-utilities
    7.4.17.4.27.4.4
  • npm@redhat-cloud-services/hcc-feo-mcp
    0.3.10.3.20.3.4
  • npm@redhat-cloud-services/hcc-kessel-mcp
    0.3.10.3.20.3.4
  • npm@redhat-cloud-services/hcc-pf-mcp
    0.6.10.6.20.6.4
  • npm@redhat-cloud-services/host-inventory-client
    5.0.35.0.45.0.6
  • npm@redhat-cloud-services/insights-client
    4.0.44.0.54.0.7
  • npm@redhat-cloud-services/integrations-client
    6.0.46.0.56.0.7
  • npm@redhat-cloud-services/javascript-clients-shared
    2.0.82.0.92.0.11
  • npm@redhat-cloud-services/notifications-client
    6.1.46.1.56.1.7
  • npm@redhat-cloud-services/patch-client
    4.0.44.0.54.0.7
  • npm@redhat-cloud-services/quickstarts-client
    4.0.114.0.124.0.14
  • npm@redhat-cloud-services/rbac-client
    9.0.39.0.49.0.6
  • npm@redhat-cloud-services/remediations-client
    4.0.44.0.54.0.7
  • npm@redhat-cloud-services/rule-components
    4.7.24.7.34.7.5
  • npm@redhat-cloud-services/sources-client
    3.0.103.0.113.0.13
  • npm@redhat-cloud-services/topological-inventory-client
    3.0.103.0.113.0.13
  • npm@redhat-cloud-services/tsc-transform-imports
    1.2.21.2.41.2.6
  • npm@redhat-cloud-services/types
    3.6.13.6.23.6.4
  • npm@redhat-cloud-services/vulnerabilities-client
    2.1.92.1.11

Impact

  • Preinstall lifecycle hook runs a 4.2 MB obfuscated payload before any application code on every npm install of an affected version
  • Cloud credential theft: AWS (IMDS/ECS task role/Secrets Manager), Azure managed identity, GCP metadata service, Kubernetes service-account tokens
  • CI/CD secret theft: GitHub Actions OIDC token, GITHUB_TOKEN, npm publish tokens, CircleCI tokens, HashiCorp Vault tokens
  • Worm propagation: stolen npm tokens are used to publish further compromised versions to other scopes the victim can write to
  • Persistence: malware creates a public GitHub repo on each victim describing itself as "Miasma: The Spreading Blight" — used both as a beacon and as a fallback exfiltration channel
  • Anti-EDR: payload probes for CrowdStrike, SentinelOne, Carbon Black, and StepSecurity Harden-Runner before activating, and is per-package AES-128-GCM encrypted to defeat hash-based IOC matching
  • @redhat-cloud-services frontend-components & API clients ship in the Red Hat Hybrid Cloud Console UI — any internal Red Hat tooling or customer portal that rebuilt on 2026-06-01 pulled a malicious version

What to do

  1. 1Audit every package.json / lockfile / CI image cache for any @redhat-cloud-services/* version listed in the packages map below — the malicious versions were sandwiched between two clean releases per package, so simply "upgrading to latest" is sufficient only if you skip the 3 affected versions
  2. 2Run npm ci --ignore-scripts (or pnpm/yarn equivalents) for any CI build that does not need lifecycle scripts, and review any new preinstall hook in PRs
  3. 3Rotate every secret reachable from any host or runner that installed an affected version on or after 2026-06-01: AWS keys + ECS task role + Secrets Manager entries, GCP service-account keys, Azure managed-identity tokens, Kubernetes service-account tokens, HashiCorp Vault tokens, GitHub PATs + Actions OIDC trust, npm publish tokens
  4. 4Hunt outbound HTTPS POST to api.anthropic.com/v1/api (decoy domain encoded into the payload) and GitHub API writes from build hosts to repos with description Miasma: The Spreading Blight
  5. 5Search GitHub Audit Log for new public repos created from compromised PATs with that description
  6. 6Search npm token usage history for unexpected publishes between 2026-06-01 and the date the relevant token was rotated
  7. 7Block the malicious version ranges in your private mirror / Artifactory / Nexus so cached copies cannot be served

References

npm-2026-06-01-miasma-redhat-cloud-services