Miasma npm Supply Chain Attack (Red Hat)
Summary
On June 1, 2026, a supply chain attack designated 'Miasma' compromised at least 32 npm package releases under the @redhat-cloud-services namespace, collectively receiving approximately 80,000–116,991 weekly downloads. A single Red Hat employee's GitHub account was exploited after credentials appeared in infostealer logs as early as April 13, 2026 — a gap of roughly seven weeks before weaponization. The payload, derived from the TeamPCP 'Mini Shai-Hulud' malware family, is a self-propagating worm that harvests developer and cloud credentials, injects persistent GitHub Actions workflows, and targets 166 cryptocurrency browser extensions.
Connected Entities
1 entities · 10 linked investigationsTimeline(13 events)
2025-09-01
Original Shai-Hulud worm emerged as the first self-replicating malware targeting the npm ecosystem, attributed to TeamPCP.
Tenable Mini Shai-Hulud FAQ2026-04-13
A Red Hat employee's GitHub credential and active session cookie first appeared in infostealer logs, as later identified by Whiteintel.
Whiteintel — Red Hat Miasma Attack: A Linked GitHub Credential Surfaced in Stealer Logs2026-04-22
Bitwarden CLI compromised via a poisoned GitHub Actions workflow — an early incident in the broader Shai-Hulud campaign wave.
aikido.dev — Red Hat npm Packages Compromised to Spread a Credential-Stealing Worm2026-05-12
TeamPCP published the full Mini Shai-Hulud source code on GitHub ('Shai-Hulud: Open Sourcing The Carnage') and announced a BreachForums contest incentivizing independent supply chain attacks using the code.
SecurityWeek — TeamPCP Ups the Game, Releases Shai-Hulud Worm's Source Code2026-05-15
The same Red Hat employee GitHub credential appeared a second time in infostealer logs from a distinct source channel.
Whiteintel — Red Hat Miasma Attack: A Linked GitHub Credential Surfaced in Stealer Logs2026-05-29
Earliest malicious commit containing the string 'Miasma: The Spreading Blight' detected in the affected RedHatInsights repositories.
The Hacker News — Miasma Supply Chain Attack Compromises Red Hat npm Packages2026-06-01
First wave of malicious @redhat-cloud-services packages published between approximately 10:53–10:53 UTC across three repositories.
Wiz — Miasma: Supply Chain Attack Targeting RedHat npm Packages2026-06-01
Public disclosure by Wiz Research at approximately 13:00 UTC; most malicious versions revoked from npm.
Snyk — Miasma Supply Chain Attack: Malicious Code in Red Hat Cloud Services npm Packages2026-06-01
Second malicious wave published between approximately 13:44–13:46 UTC; root cause identified.
Snyk — Miasma Supply Chain Attack: Malicious Code in Red Hat Cloud Services npm Packages2026-06-01
Red Hat published Security Bulletin RHSB-2026-006; stated no customer action required and no Red Hat products were shipped with compromised versions.
Red Hat Security Bulletin RHSB-2026-0062026-06-01
The Register reported Socket had identified 95 affected package versions as of 11:00 UTC; combined weekly download count cited as approximately 80,000.
The Register — Shai-Hulud malware worms Red Hat npm packages2026-06-02
Additional compromised package versions discovered; Microsoft Defender Security Research Team published incident analysis.
Preinstall to persistence: Inside the Red Hat npm Miasma credential-stealing campaign — Microsoft Security Blog2026-06-03
Red Hat Security Bulletin RHSB-2026-006 updated with preliminary findings; investigation described as ongoing.
Red Hat Security Bulletin RHSB-2026-006Decision Log
- hash: 9suigWLyJ8DUyQeeZoFKiesmiNW2CdoLFp8xL9LzWptt
This investigation is cryptographically anchored to the Solana blockchain and source URLs are archived via the Internet Archive.
model: claude-sonnet-4-6
generated: 6/24/2026, 12:16:06 PM
last updated: 6/24/2026, 12:16:15 PM
avoid.net — verified advice for a post-truth world