Miasma: A Worming npm Supply Chain Attack on Red Hat Cloud Services

Miasma: A Worming npm Supply Chain Attack on Red Hat Cloud Services

guy-gilad Moshe Hassan Upwind

By Guy Gilad & Moshe Hassan

Jun 04, 2026

Executive Summary

On June 1, 2026, unauthorized commits were pushed to repositories in the RedHatInsights GitHub organization and used to publish malicious versions of 32 packages under the @redhat-cloud-services npm scope.

The campaign, tracked as Miasma, executes a 4.2 MB obfuscated payload through an npm preinstall hook the moment any of these packages is installed, directly or transitively. Once running, it sweeps GitHub tokens, cloud credentials, and CI/CD secrets, then uses the stolen npm OIDC tokens to republish itself across other packages the victim maintains.

Roughly 80,000 to 117,000 weekly downloads sit inside the affected scope, and any environment that ran npm install against the compromised versions should treat all reachable secrets as exposed.

What Is the Miasma Campaign?

Miasma is a self-propagating credential-harvesting worm built on the public Mini Shai-Hulud code base that was open-sourced on May 12, 2026. The activity is attributed in vendor reporting to the TeamPCP cluster. Repositories created by the malware in victim GitHub accounts carry the description “Miasma: The Spreading Blight”, which is the cleanest fingerprint for the family.

Which Packages Are Affected?

The compromise covers 32 packages across the @redhat-cloud-services namespace, with 96 malicious versions published in two waves on June 1, 2026 at approximately 10:53 UTC and 13:44 to 13:46 UTC. Representative affected releases include:

  • @redhat-cloud-services/chrome versions 2.3.1, 2.3.2, 2.3.4
  • @redhat-cloud-services/frontend-components versions 7.7.2, 7.7.3, 7.7.5
  • @redhat-cloud-services/types versions 3.6.1, 3.6.2, 3.6.4
  • @redhat-cloud-services/rule-components versions 4.7.2, 4.7.3
  • @redhat-cloud-services/rbac-client versions 9.0.3, 9.0.4, 9.0.6

Red Hat’s RHSB-2026-006 confirms no Hybrid Cloud Console release shipped during the compromise window, and ARO, OpenShift Dedicated, ROSA, ACS Cloud Service, and AAP on Cloud are unaffected. At risk: anyone pulling these libraries directly from npm

npm has removed the malicious versions and applied namespace protections, but any install that occurred on June 1, 2026 already executed the payload.

How the Attack Works

The campaign begins outside npm. A Red Hat employee’s GitHub account was used to push orphan commits directly into several RedHatInsights repositories, bypassing branch protections and review. The repositories’ GitHub Actions workflows triggered on push and requested an OIDC token with id-token: write permission, then exchanged that token for npm publish rights. Because Sigstore signed the resulting attestations, the malicious releases shipped with valid SLSA provenance.

Each compromised release ships a weaponized package.json containing “preinstall”: “node index.js”, which unpacks through four layers of obfuscation. The implant then re-execs itself through to the final payload.

Inside the victim environment, the implant performs a broad credential sweep. It validates GitHub tokens through the API, enumerates accessible repositories and organization secrets, and on GitHub Actions runners locates the Runner.Worker process and scans /proc/<pid>/mem to recover masked workflow secrets. It pulls AWS keys from IMDS and ECS, Azure tokens from the IMDS OAuth2 endpoint, GCP service-account tokens from the metadata service, probes HashiCorp Vault at 127.0.0.1:8200, and reads Kubernetes service-account tokens. Local SSH keys, Docker credentials, .env files, GPG keys, and browser data are collected as well.

Propagation closes the loop. With harvested npm tokens, the malware calls the publish API with the bypass_2fa parameter to push backdoored versions of other packages owned by the victim, creates a public repository in the victim’s GitHub account titled Miasma: The Spreading Blight, and injects its source as .github/setup.js into unprotected branches of victim repositories so that the next CI run reignites the chain.

The implant plants a decoy honeytoken (IfYouInvalidateThisTokenItWillNukeTheComputerOfTheOwner), revoking or triggering it invokes a wiper routine that runs rm -rf against ~/ and ~/Documents.

Indicators of Compromise

  • A 4.2 MB index.js at the root of any @redhat-cloud-services package
  • A preinstall script invoking node index.js from a library that did not previously run lifecycle hooks
  • A node to bun process chain originating from an npm install on a build agent or developer workstation
  • Outbound HTTPS to api.github.com carrying User-Agent: python-requests/2.31.0 or google-api-nodejs-client/7.0.0 gl-node/20.11.0 gccl/7.0.0
  • New public repositories in user or organization accounts with the description Miasma: The Spreading Blight
  • New files at .github/setup.js committed to non-default branches
  • Injected SessionStart hooks in ~/.claude/settings.json or folderOpen triggers in .vscode/tasks.json
  • Reads against /proc/<pid>/mem of Runner.Worker 

Mitigation and Remediation

  1. Identify and remove any installed version of an @redhat-cloud-services package published on June 1, 2026. Pin lockfiles to a known-good prior version, clear npm caches, and rebuild from clean state.
  2. Treat every credential reachable from any host that ran npm install against an affected version since June 1, 2026 as compromised. Rotate npm publish tokens, GitHub PATs and fine-grained tokens, GitHub Actions org and repository secrets, AWS access keys and session tokens, GCP service-account keys, Azure service-principal credentials, HashiCorp Vault tokens, Kubernetes service-account tokens, SSH private keys, Docker registry credentials, and GPG keys.
  3. Before revoking any token, remove the implant’s persistence hooks from ~/.claude/settings.json and .vscode/tasks.json and kill any resident bun processes. Revoking tokens while the implant is still running can activate the rm -rf failsafe described above.

How Upwind Helps

Upwind catches supply chain attacks at runtime, the moment malicious package code actually runs. It surfaces preinstall abuse, unexpected execution, credential theft, malicious traffic,

By tying together process activity, network behavior, identity, cloud access, monitoring package execution, Upwind shows teams whether a package simply sat there or actually executed, which credentials were exposed, what got exposed, and where containment should begin.

Miasma: A Worming npm Supply Chain Attack on Red Hat Cloud Services

Further Reading

No Way Out_ Breaking the AWS Data Perimeter with Bedrock AgentCore
Research

No Way Out? Bypassing the AWS Data Perimeter with Bedrock AgentCore

By Dan Gansel

Jun 03, 2026

A novel Command-and-Control (C2) channel weaponizes legitimate AWS services to establish two data channels, successfully circumventing one of the cloud’s strongest security defenses. Status: Infiltration Channel is FIXED, Exfiltration Channel is OPEN. TL;DR This research was presented at fwd:cloudsec North America 2026. Watch the full talk below. What Is the AWS Data Perimeter? For the […]

Upwind Researcher Spotlight: Dan Gansel
Research, Thought Leadership

Upwind Researcher Spotlight: Dan Gansel

Santerra Holler

By Santerra Holler

May 28, 2026

“You have to map the core logic and syntax of the system before you can find the interesting primitives.” This June 1st, Dan Gansel will walk on stage at fwd:cloudsec 2026 in North America to demonstrate a fully functional command-and-control channel that operates inside the AWS Data Perimeter, the cloud-native gold standard for keeping sensitive […]

durabletask malware
Research

Newly Discovered durabletask Malware Targeted Kubernetes, Cloud Secrets, and CI/CD Infrastructure

Screenshot 2024-09-25 at 9.12.26 AM Lidor Machluf

By Avital Harel & Lidor Machluf

May 19, 2026

Executive Summary Upwind identified a critical supply chain compromise involving durabletask==1.4.1, 1.4.2, and 1.4.3, three consecutive malicious releases of Microsoft’s Azure Durable Task Python SDK published to PyPI. The malicious release contains a lightweight dropper embedded directly into durabletask/init.py. On import, the package downloads and executes a remote payload named rope.pyz from attacker-controlled infrastructure. The […]