A new Mini Shai-Hulud supply chain attack campaign, codenamed Miasma, compromised the @redhat-cloud-services package to steal credentials and sensitive information from developer machines and distribute a self-propagating worm.
“This is effectively a Mini Shai-Hulud campaign, using the same core tactics of execution at install, credential collection, CI/CD targeting, encrypted exfiltration, and potential downstream propagation,” Socket said.
It is currently unclear exactly who is behind the campaign, given that notorious cybercrime group TeamPCP has open-sourced attack tools related to the Shai-Hulud worm, which opens up opportunities for other threat actors to carry out similar attacks and makes it difficult to identify a clear attacker.
Some of the names of the affected packages are listed below.
@redhat-cloud-services/vulnerabilities-client @redhat-cloud-services/tsc-transform-imports @redhat-cloud-services/topological-inventory-client @redhat-cloud-services/sources-client @redhat-cloud-services/rule-components @redhat-cloud-services/remediations-client @redhat-cloud-services/rbac-client
According to analysis by Aikido Security, JFrog, Microsoft, OX Security, SafeDep, StepSecurity, and Wiz, npm packages contain obfuscated preinstallation hooks designed to collect GitHub Actions secrets, npm tokens, cloud credentials, Kubernetes and Vault materials, SSH keys, Git credentials, and other sensitive files.
As observed in previous waves of Mini Shai-Hulud, the malware also contains encrypted exfiltration logic that sends data to ‘api.anthropic’.[.]com:443/v1/api” and uses GitHub as a fallback mechanism. This represents an attempt by an attacker to steal credentials and weaponize them to further contaminate the software supply chain.
“We commit the encrypted result envelope via the GitHub API,” Socket said. “The commit message can include IfYouInvalidateThisTokenItWillNukeTheComputerOfTheOwner:.”
Another notable step taken by this malware is to avoid running on Russian systems. This is a pattern also observed in the GlassWorm supply chain campaign.
“For npm, the payload calls the OIDC token exchange and whoami endpoint, repackages the tarball (updateTarball, package-updated.tgz), and signs the artifact through Sigstore,” SafeDep said. “Stolen credentials were leaked to public GitHub repositories created by the attackers, each with the description Miasma: The Spreading Blight.”
The first commit containing the string “Miasma: The Spreading Blight” appeared on May 29, 2026, indicating that the variant has been active or that threat actors have begun testing it since then, OX Security noted.
Regarding GitHub, the malware enumerates the repositories that the token can write to, reads action.yml/action.yaml via GraphQL, and commits the workflow through the createCommitOnBranch mutation so that the commit appears as a verified signed change. Other actions performed by the malware are listed below.
Bind mount the host /etc/sudoers.d and attempt privilege escalation by starting a container that grants passwordless sudo to the CI runner. Check endpoint protection with CrowdStrike, SentinelOne, Carbon Black, and StepSecurity Harden-Runner before initiating malicious actions. Inject a SessionStart hook in Anthropic Claude Code and establish persistence by injecting a task.json with Microsoft’s “runOn”: “folderOpen”. Enable Visual Studio Code projects to launch malware automatically every session
“One of the main changes in this new variant is the addition of a new data collector focused on cloud identities,” Wiz researchers said. “Specifically, we added a GCP and Azure ID collector that collects all identities that an infected machine has access to. While previous versions of the malware were primarily focused on extracting secrets from these environments, this variant suggests that the attackers are focused on gaining and leveraging access to the cloud itself.”
Unlike previous versions, this malware has also been found to generate a uniquely encrypted payload for each infection, making detection and version tracking much more difficult.
Evidence suggests that the Red Hat employee’s GitHub account was compromised by Patient Zero, which was used to inject payloads into these packages. The compromised account allegedly pushed malicious orphan commits to two RedHatInsights repositories, bypassing code reviews.
We recommend that you isolate hosts that have installed the affected version, remove malicious versions, rotate exposed credentials, check for signs of suspicious GitHub or npm activity, and audit your environment for persistence artifacts with changes to configuration files (~/.claude/settings.json, .vscode/tasks.json, .github/workflows/codeql.yml, .github/setup.js). Apply strong access controls.
“Uninstalling npm packages or removing node_modules should not be considered sufficient cleanup as this malware includes background execution and potential developer tools persistence mechanisms,” Socket explained.
“For CI/CD systems, pause execution of affected workflows, disable build artifacts generated during the exposure period, and check to see if any releases, container images, npm packages, or deployment artifacts were created after the malicious package was installed.”
Source link
