Miasma RedHat npm Supply Chain Attack
Summary
Miasma is a self-propagating credential-stealing worm that compromised 32 official npm packages under the @redhat-cloud-services namespace on June 1, 2026, affecting an estimated 80,000 to 117,000 weekly downloads. The attack was facilitated by a compromised Red Hat employee GitHub account and used GitHub Actions OIDC trusted publishing to inject a 4.2 MB obfuscated preinstall payload derived from the publicly released Mini Shai-Hulud malware framework attributed to the threat actor group TeamPCP. While not a cryptocurrency-specific attack, the worm harvests cloud credentials, CI/CD secrets, and developer tokens — including Anthropic API keys — from any environment running the affected packages, and it is highly relevant to crypto developers who use these packages in their build pipelines.
Connected Entities
1 entities · 10 linked investigations- + 2 more
Timeline(13 events)
2026-04-13
Red Hat employee GitHub credentials appear in infostealer logs, approximately 7 weeks before weaponization.
Cloud Security Alliance Research Note; Wiz Blog2026-04-22
Bitwarden CLI compromised via poisoned GitHub Actions workflow in the Mini Shai-Hulud campaign; payload targets crypto wallet data.
Aikido Security; The Hacker News2026-04-29
Four SAP npm packages compromised via leaked npm token in the Mini Shai-Hulud campaign.
Aikido Security2026-04-30
PyTorch Lightning package compromised on PyPI as part of the same campaign.
Aikido Security2026-05-12
TeamPCP open-sources the full Mini Shai-Hulud worm source code on GitHub under MIT License; simultaneously announces a $1,000 BreachForums contest for the largest supply chain attack using the code. Concurrently, the campaign expands to 160+ packages.
ReversingLabs; Tenable; Security Boulevard2026-05-19
Microsoft's DurableTask npm package compromised in the Mini Shai-Hulud campaign.
Aikido Security2026-05-20
Nine malicious Polymarket-branded npm packages published targeting crypto wallet keys.
SafeDep2026-05-24
Socket reports TrapDoor campaign: 34+ malicious packages across npm, PyPI, and Crates.io targeting crypto and DeFi developers.
CyberLeveling2026-05-29
First commit containing the 'Miasma: The Spreading Blight' string appears in RedHatInsights repositories.
The Hacker News2026-06-01
Miasma attack executes in two waves (10:53 UTC and 13:44–13:46 UTC). Malicious commits pushed to RedHatInsights GitHub organization; 96 backdoored versions of 32 @redhat-cloud-services npm packages published with valid SLSA provenance attestations.
Wiz Blog; Orca Security; The Register2026-06-01
Wiz Research publicly discloses the Miasma campaign. Red Hat removes affected packages from the npm registry and issues a statement that malicious code did not reach customer production systems.
The Register; BleepingComputer2026-06-03
Cloud Security Alliance publishes research note on Miasma with extended technical analysis.
Cloud Security AllianceDecision Log
- hash: 67ENERwMvWejE12hHanefbp6qe6cCFenewhZEToqvTA9
This investigation is cryptographically anchored to the Solana blockchain and source URLs are archived via the Internet Archive.
model: claude-sonnet-4-6
generated: 6/15/2026, 5:42:54 PM
last updated: 6/15/2026, 5:43:05 PM
avoid.net — verified advice for a post-truth world