The Miasma Supply Chain Attack: From TeamPCP’s Open-Source Toolkit to Compromised Microsoft and Red Hat Repos
The Miasma attack is a two wave, self replicating supply chain worm that compromised 32 official Red Hat npm packages on June 1, 2026, then spread to 73 Microsoft GitHub repositories across four organizations, includi... The attack was made possible by TeamPCP’s public release of the Mini Shai Hulud malware framewor...
What was the Miasma supply chain attack on Microsoft and Red Hat GitHub repositories, how did it originate from the open-sourced Mini Shai-HA conceptual visualization of how the Miasma worm propagated from a single compromised account to 73 Microsoft repositories.
AI Prompt
Create a landscape editorial hero image for this Studio Global article: What was the Miasma supply chain attack on Microsoft and Red Hat GitHub repositories, how did it originate from the open-sourced Mini Shai-H. Article summary: ## The Miasma Supply Chain Attack. Topic tags: general, general web, user generated, education, government. Reference image context from search candidates: Reference image 1: visual subject "devsecops, ASPM, vulnerability management, application security, exposure management, reachability analysis, attack surface management, npm supply chain, account takeover, TeamPCP," source context "Miasma: Red Hat npm Packages Hit by Shai-Hulud Variant" Reference image 2: visual subject "devsecops, ASPM, vulnerability management, application security, exposure management, reachability analysis, attack surface management, npm supply chain, account takeover, TeamPCP," source
openai.com
On June 1, 2026, a new supply chain attack quietly activated, exploiting a compromised Red Hat employee’s GitHub account to push backdoored commits. Within days, the self-spreading worm had jumped from the @redhat-cloud-services npm namespace into the heart of Microsoft’s public repositories. The attack, named Miasma, wasn’t the work of a single advanced persistent threat group operating in the shadows—it was built from a malware toolkit that anyone could download.
That toolkit, the Mini Shai-Hulud framework, was published as open-source code on May 12, 2026, by the threat actor group TeamPCP . What happened next reveals a new and dangerous phase in software supply chain security: the industrialization of open-source attack tooling.
How the Attack Unfolded: From One Employee Account to 73 Microsoft Repos
The breach began not with a sophisticated zero-day, but with a single set of stolen credentials. A Red Hat employee’s GitHub account credentials had appeared in infostealer logs as early as April 13, 2026—a gap of nearly seven weeks before they were weaponized . Using this access, the attacker pushed unauthorized commits directly to repositories in the RedHatInsights GitHub organization .
Studio Global AI
Search, cite, and publish your own answer
Use this topic as a starting point for a fresh source-backed answer, then compare citations before you share it.
What is the short answer to "The Miasma Supply Chain Attack: From TeamPCP’s Open-Source Toolkit to Compromised Microsoft and Red Hat Repos"?
The Miasma attack is a two wave, self replicating supply chain worm that compromised 32 official Red Hat npm packages on June 1, 2026, then spread to 73 Microsoft GitHub repositories across four organizations, includi...
What are the key points to validate first?
The Miasma attack is a two wave, self replicating supply chain worm that compromised 32 official Red Hat npm packages on June 1, 2026, then spread to 73 Microsoft GitHub repositories across four organizations, includi... The attack was made possible by TeamPCP’s public release of the Mini Shai Hulud malware framework on May 12, 2026, which provided a ready made toolkit that was immediately adopted by other actors, obscuring attribution.
What should I do next in practice?
The weaponization of open source malware represents a paradigm shift, lowering the barrier for supply chain attacks and drawing direct policy responses from the UK’s NCSC, which released new guidance and a supply chai...
These commits were not trivial. Inside the RedHatInsights/javascript-clients repository, the attacker injected a malicious GitHub Actions workflow that requested OIDC identity tokens and executed an obfuscated payload . This payload published 32 trojanized package releases under the official @redhat-cloud-services npm scope, each one carrying the campaign marker “Miasma: The Spreading Blight”. Because the packages flowed through Red Hat’s legitimate CI/CD pipeline and used valid OIDC publishing workflows, they carried authentic SLSA provenance signatures—meaning standard security checks would flag them as verified .
The malicious packages averaged around 80,000 weekly downloads . The moment any developer ran
npm install
, an obfuscated JavaScript payload—approximately 4.2 MB in size—executed immediately via the preinstall lifecycle hook . The payload harvested credentials from AWS, Azure, GCP, GitHub, HashiCorp Vault, Kubernetes configurations, SSH keys, and local developer environments . It then used those stolen secrets to inject malicious code into other projects the victim had access to, turning each compromised developer workstation and CI/CD pipeline into a new distribution node .
The worm’s most novel behavior wasn’t just credential theft—it was its exploitation of AI coding tools. Variants of Miasma planted malicious rule files targeting Claude Code, Cursor, Gemini CLI, and GitHub Copilot. These files are designed to execute automatically when a developer simply clones and opens the compromised repository in their IDE . In effect, the act of reading the code—without ever installing a package—could trigger the payload.
On June 5, 2026, the worm reached Microsoft. A malicious commit titled “Switched DataConverter to OrchestrationContext [skip ci]” landed in the Azure/durabletask repository, with its metadata manipulated to display the commit date as March 9, 2020, likely in an attempt to evade suspicion . That commit was the beachhead. From there, the worm spread to 73 repositories across four Microsoft GitHub organizations: Azure, Azure-Samples, Microsoft, and MicrosoftDocs . Affected projects included core infrastructure such as azure-functions-host and the entire Durable Task family across .NET, Go, Java, JavaScript, MSSQL, and Python .
The Origin: TeamPCP and the Open-Sourcing of Mini Shai-Hulud
To understand Miasma, you have to understand TeamPCP’s decision to open-source their weapon.
TeamPCP (also tracked as Replicating Marauder, TGR-CRI-1135, and UNC6780) is a threat actor group that had spent 2025 and early 2026 perfecting a family of self-propagating supply chain worms. Their operations peaked on May 11, 2026, when they published 373 malicious package versions across 172 npm and PyPI packages, with a combined download count exceeding 518 million . That campaign alone demonstrated the worm’s ability to extract OIDC tokens from GitHub Actions runner memory, obtain valid signing certificates, and produce malicious packages with passing provenance attestations .
Then, on May 12, 2026, TeamPCP published the complete Mini Shai-Hulud source code to GitHub under an MIT license . Alongside it, the group announced a competition on BreachForums, offering $1,000 in Monero for the biggest supply chain attack conducted with their framework . The message was explicit: the toolkit was now public property.
Within five days, a single npm user account had pushed four malicious packages including a near-verbatim clone of the Shai-Hulud worm. OX Security analyzed the clone and found it was lifted “almost without any change at all,” differing only in the attacker’s own command-and-control endpoint and private key . The industrialization of supply chain attacks had begun—and defenders didn’t yet know it.
Seventeen days after the open-sourcing, Miasma hit Red Hat. The malware’s code is a structural variant of Mini Shai-Hulud, with the original Dune-themed references replaced by Greek mythology branding . But the tradecraft—preinstall script execution, obfuscated JavaScript payloads, credential harvesting, and CI/CD self-propagation—is substantially identical .
Crucially, researchers cannot conclusively attribute Miasma to TeamPCP itself. The Cloud Security Alliance explicitly notes that “copycat actors using the same publicly released codebase cannot be ruled out” . Palo Alto Networks’ Unit 42 reinforces this, stating that “attribution remains uncertain” because the public release of the source code means any competent actor can replicate the same attack . This ambiguity is not a footnote—it’s a deliberate feature of the open-sourcing strategy, designed to flood the ecosystem with noise and overwhelm attribution efforts .
The Copycat Wave: Phantom Gyp and Ecosystem Expansion
The open-sourced framework didn’t just enable Miasma—it spawned a wave of immediate copycat activity.
On June 3, 2026, a new variant called Phantom Gyp emerged, reaching 57 additional npm packages including @vapi-ai/server-sdk and ai-sdk-ollama. This variant used a weaponized binding.gyp file to execute malicious code during package installation, bypassing the now-scrutinized postinstall execution path . Researchers at OpenSourceMalware confirmed the campaign was the first confirmed in-the-wild use of TeamPCP’s framework, though TeamPCP never claimed credit .
By June 8, the SANS Internet Storm Center reported that the wider attacker population was now actively wielding the open-sourced Mini Shai-Hulud framework, with multiple independent threat actors launching their own campaigns . The malware had spread beyond npm: researchers identified a Ruby variant that appeared to be LLM-translated—a crude but functional port that was not part of the original open-sourced code . The speed of adaptation, from npm to multiple ecosystems, underscored how thoroughly the attack surface had changed.
The Organizational Response: Speed, Disruption, and Policy
The response to Miasma was unusually swift and unusually public, reflecting both the scale of the compromise and the involvement of major platform owners.
GitHub’s response was immediate. The platform disabled more than 70 Microsoft-owned repositories within approximately 105 minutes of detection on June 5, 2026 . The disabled repositories spanned Azure, Azure-Samples, Microsoft, and MicrosoftDocs organizations . Within days, all repositories were restored and declared clean, though some affected Microsoft CI/CD pipelines had been disrupted during the takedown .
Microsoft published a detailed technical analysis through its Threat Intelligence team on June 2, 2026, covering the full attack chain from the initial Red Hat compromise through the CI/CD exploitation . Microsoft also took the highly unusual step of removing 73 of its own repositories, telling BleepingComputer that the decision was made out of concern the repos were distributing “potential malicious content” . The disruption to Microsoft’s internal CI/CD workflows demonstrated that even the platform owner was not immune to the downstream consequences of a supply chain worm.
Red Hat published security advisory RHSB-2026-006 on June 1, 2026, confirming the compromise and stating that the breach was limited to internal development tools with no impact on Red Hat Enterprise Linux or OpenShift products . The company revoked all affected npm package versions and alerted downstream consumers.
The UK’s National Cyber Security Centre (NCSC) escalated the incident into a broader policy push. On June 4, 2026, the NCSC published a blog post explicitly urging organizations to review their open-source dependencies and reduce exposure to supply chain attacks . The timing was not coincidental—the post directly referenced the Miasma campaign as a catalyst . On June 9, 2026, the NCSC released an updated Cyber Essentials Supply Chain Playbook, calling on UK companies to make Cyber Essentials certification a standard requirement for suppliers .
The NCSC’s guidance focused on three categories: visibility (audit package updates, identify unexpected dependencies, and maintain a software bill of materials), assessment (evaluate supplier security practices), and action (secure the supply chain as a board-level priority) . The UK government also formally engaged on the TeamPCP campaign, reflecting a shift where open-source dependency security is now treated as a matter of national cybersecurity policy rather than individual developer hygiene.
Why Miasma Matters: The Broader Implications
The Miasma attack is not the largest supply chain breach in history, nor the most sophisticated. But it may be the most instructive for understanding what comes next.
First, open-source attack frameworks have weaponized the ecosystem. TeamPCP’s decision to publish Mini Shai-Hulud under an MIT license is a deliberate strategy: arm an army of copycats, create attribution chaos, and force defenders to defend against an unknown number of independent actors using the same playbook . This is not theoretical—copycat activity was documented within five days of the release, and attribution of Miasma itself remains uncertain weeks later .
Second, the npm preinstall hook is a systemic vulnerability. The attack repeatedly exploits a feature designed for legitimate build scripts but lacks sufficient controls on lifecycle script execution . The emergence of binding.gyp as an additional execution vector in the Phantom Gyp variant demonstrates that attackers actively probe for new lifecycles to hijack . Registry-level restrictions on preinstall and other lifecycle scripts are now an urgent priority.
Third, AI coding assistants have become an execution surface. Miasma is among the first documented supply chain attacks to specifically target Claude Code, Cursor, Copilot, and Gemini CLI as payload delivery mechanisms through malicious rule files . When a developer clones a repo and opens it, the AI tooling designed to help them write better code can instead execute malicious code. This vector will likely expand as AI-assisted development becomes the default workflow.
Fourth, CI/CD pipelines are now the highest-value targets. The worm’s ability to extract OIDC tokens from runner memory and produce packages with valid SLSA provenance attestations means that standard cryptographic verification—the gold standard for supply chain integrity—can be defeated . If provenance checks pass, defenders have no signal to flag the compromise. Securing CI/CD pipelines from credentials exposure is no longer optional.
Finally, government intervention has reached open-source dependency management. The NCSC’s updated playbook is not advisory—it is a concrete request for UK companies to embed supply chain security into procurement . Organizations that treat dependency review as a one-time audit, rather than a continuous process, are operating with a pre-Miasma security posture.
microsoft.comPreinstall to persistence: Inside the Red Hat npm Miasma credential ...
Comments
0 comments