Red Hat Miasma Attack: How a Stolen GitHub Account Poisoned 32 npm Packages

Bypassing OIDC Trusted Publishing

The attacker's most devious move was leveraging the legitimate access to bypass one of the supply chain's strongest modern security guarantees. They used the compromised account to inject malicious GitHub Actions workflows directly into the source repositories .

A key feature of these workflows was their use of OpenID Connect (OIDC) for trusted publishing. Normally, OIDC allows GitHub Actions to authenticate to npm to publish packages without long-lived tokens. Because the malicious workflows ran on Red Hat's official infrastructure using the compromised account, they were able to generate valid SLSA provenance attestations. This effectively applied a verifiable, formal stamp of legitimacy to the tampered packages, tricking developers into trusting backdoored releases .

The Miasma Payload: A Self-Propagating Credential Thief

The malicious code was embedded within a preinstall script specified in the package.json file. This meant the payload executed automatically the moment a developer ran

npm install

The payload was identified as a custom variant of the publicly available Mini Shai-Hulud worm, associated with the threat actor TeamPCP . Once running, the approximately 4.2 MB obfuscated JavaScript payload acted as a comprehensive infostealer, targeting a wide range of sensitive material :

• CI/CD and Automation Secrets: GitHub Actions secrets and fresh OIDC tokens .
• Cloud Platform Credentials: Keys and tokens for Amazon Web Services (AWS), Google Cloud Platform (GCP), and Microsoft Azure .
• Infrastructure Tokens: HashiCorp Vault tokens for secret management and Kubernetes (kubeconfig) tokens for container orchestration .
• Development and Access Keys: SSH private keys, npm authentication tokens, and the contents of local .env files .

Beyond pure theft, the worm possessed a self-propagating mechanism. If it detected the compromised system had a Git repository configured with an origin remote, it would clone the repository, inject its malicious code, and push the changes back. This allowed the malware to spread to downstream projects and further into connected CI/CD pipelines . As a final signature, the worm modified the description of compromised repositories to read "Miasma: The Spreading Blight" .

Red Hat's Official Response

Red Hat quickly acknowledged the incident and published security bulletin RHSB-2026-006 . The company emphasized that the attack's blast radius was contained. The compromised packages were strictly limited to internal frontend components and API client tooling used for the Red Hat Hybrid Cloud Console.

Critically, Red Hat stated that the backdoored code was not shipped in any customer-facing software or production Red Hat products. The company immediately removed all affected packages from the npm registry upon detection .

Emergency Remediation Steps

Security firms including Aikido, OX Security, Orca Security, and Wiz have issued urgent guidance for any organization that may have installed packages from the @redhat-cloud-services namespace on or around June 1, 2026 .

1. Rotate All Credentials Immediately

Assume any credential that existed in an affected environment is compromised. This includes all cloud provider API keys, CI/CD runner tokens, SSH keys, Vault tokens, and npm publish tokens. Rotation is the only safe path forward.

2. Audit Git Repositories for the Worm's Signature

Search your organization's GitHub repositories. Any repository with the description string "Miasma: The Spreading Blight" has been actively compromised by the worm's self-propagation engine and contains malicious code .

3. Review GitHub Actions for Anomalies

Manually audit your GitHub Actions workflows. Look for unexpected pull requests, unauthorized modifications to existing workflow files, or the addition of unknown secrets. Any injection at this level represents a critical persistence mechanism .

4. Check Installed Package Versions

Cross-reference your node_modules and lockfiles against the complete list of 96 compromised package versions published by Aikido and Red Hat. If a match is found, consider that machine and its associated credentials fully compromised and isolate it immediately .

Attribution: The TeamPCP Connection

The Miasma payload is directly derived from the Mini Shai-Hulud worm, a credential-harvesting tool that was recently open-sourced by the threat actor TeamPCP. The attackers extended the base worm with new collectors specifically targeting GCP and Azure cloud credentials, demonstrating an active and ongoing evolution of the threat . The campaign underscores a dangerous trend where open-sourced attack tools are quickly weaponized and refined for high-value supply chain targets.