On June 1, 2026, a significant supply chain attack targeted over 30 official packages within the `@redhat-cloud-services` npm scope. This campaign, named Miasma: The Spreading Blight, represents a new variant of the Mini Shai-Hulud malware family, previously associated with the threat actor group TeamPCP.
Unlike typical typosquatting attacks, where malicious packages mimic legitimate ones with similar names, this incident involved the direct hijacking of a trusted npm namespace. Attackers published compromised versions of widely-used frontend components, API clients, and developer tools. Security firms Aikido and JFrog identified that these malicious packages were disseminated through GitHub Actions OpenID Connect (OIDC) tokens, indicating a breach within the continuous integration and deployment (CI/CD) pipeline rather than individual developer accounts.
Each infected package contained a `preinstall` script in its `package.json` file:
“`json
scripts: {
preinstall: node index.js
}
“`
This script executed a 4.2 MB obfuscated payload during every `npm install` operation, activating before any application code ran. The payload employed a multi-stage decryption process—including numeric character arrays, ROT-style transformations, and AES-128-GCM encryption—to evade static detection. It then deployed a transient Bun-based payload to the `/tmp` directory for execution.
Once active, the malware aggressively collected a wide range of credentials:
– GitHub Tokens: Including classic, fine-grained, and GitHub Actions OIDC tokens.
– Cloud Credentials: AWS access keys, Google Cloud Platform (GCP) service account files, and Azure service principal and managed identity tokens.
– Infrastructure Secrets: Kubernetes service account tokens, kubeconfig files, and HashiCorp Vault tokens.
– Developer Tooling: npm and PyPI publish tokens, SSH private keys, Docker registry credentials, GPG keys, and `.env` files across the filesystem.
In cloud environments, the malware extended its reach by querying AWS Secrets Manager, AWS Systems Manager (SSM) Parameter Store, Azure Key Vault, and GCP Secret Manager, provided it had the necessary permissions. Notably, GitHub Actions runners were prime targets; the payload accessed secrets directly from runtime process memory, effectively bypassing workflow log masking mechanisms.
To evade detection, the malware disguised its exfiltration traffic by directing it to `api.anthropic.com/v1/api`—a domain resembling legitimate services. The `/v1/api` path is not a valid route for Anthropic services, suggesting the attackers selected it solely for camouflage. Organizations utilizing Anthropic services should scrutinize network logs for node or Bun processes communicating with this host from CI runners or developer machines.
The malware also employed a GitHub dead-drop technique, creating public repositories under victim accounts with the description Miasma: The Spreading Blight and committing stolen credentials as JSON files.
To maintain persistence, the malware installed monitoring services:
– Linux: `kitty-monitor.service`
– macOS: `com.user.kitty-monitor.plist`
These services polled for remote instructions. Additionally, the malware injected hooks into AI developer tools—including Claude, Codex, Gemini, Copilot, Kiro, and opencode—and added Visual Studio Code folder-open tasks that re-executed the payload.
A particularly destructive component, the `gh-token-monitor`, monitored stolen GitHub tokens. If a token was revoked before the malware’s persistence mechanisms were removed, it could execute commands to wipe the user’s home directory.
Mitigation Steps:
1. Immediate Isolation: Disconnect affected systems from networks to prevent further data exfiltration.
2. Credential Rotation: Revoke and regenerate all potentially compromised credentials, including GitHub tokens, cloud service keys, and infrastructure secrets.
3. Package Audit: Review all projects for dependencies on the compromised `@redhat-cloud-services` packages. Replace them with secure versions or alternatives.
4. CI/CD Pipeline Review: Examine CI/CD configurations for unauthorized changes, especially concerning GitHub Actions and OIDC token usage.
5. Network Traffic Analysis: Monitor for unusual outbound connections, particularly to `api.anthropic.com/v1/api`, and block suspicious domains.
6. Persistence Mechanism Removal: Identify and eliminate unauthorized services and scripts, such as `kitty-monitor.service` and `gh-token-monitor`.
7. System Restoration: Rebuild compromised systems from trusted backups to ensure complete removal of malware.
This incident underscores the critical importance of securing software supply chains. Organizations must implement stringent access controls, conduct regular audits of third-party packages, and maintain vigilant monitoring of CI/CD pipelines to detect and prevent such sophisticated attacks.
