A newly discovered software supply chain campaign, dubbed Miasma, has emerged as the latest evolution of the Shai-Hulud supply chain attack, compromising several redhat-cloud-services npm packages to steal credentials, harvest secrets from developer systems, and spread through development environments using worm-like behavior.
Security researchers at Socket described the operation as a smaller but highly capable successor to earlier Shai-Hulud campaigns, noting that it employs many of the same techniques that made previous attacks effective against software development ecosystems.
“This is effectively a Mini Shai-Hulud campaign: it uses the same core tactics of install-time execution, credential harvesting, CI/CD targeting, encrypted exfiltration, and potential downstream propagation,” Socket said.
Attribution Remains Unclear as TeamPCP Tools Continue to Circulate
The identity of the threat actor behind the latest Shai-Hulud supply chain attack remains uncertain. One major reason is the role of TeamPCP, a well-known cybercrime group that previously open-sourced tools associated with the original Shai-Hulud worm. By publicly releasing those resources, TeamPCP lowered the barrier for other attackers to launch similar operations, making attribution significantly more difficult.
Researchers have not yet linked the Miasma campaign to any specific actor with confidence.
Affected redhat-cloud-services Packages
The attack targeted multiple packages published under the redhat-cloud-services namespace. The known compromised packages include:
- @redhat-cloud-services/vulnerabilities-client
- @redhat-cloud-services/tsc-transform-imports
- @redhat-cloud-services/topological-inventory-client
- @redhat-cloud-services/sources-client
- @redhat-cloud-services/rule-components
- @redhat-cloud-services/remediations-client
- @redhat-cloud-services/rbac-client
The malicious code embedded within these packages was designed to execute during installation, allowing attackers to collect sensitive information from infected developer environments.
Encrypted Data Theft and GitHub-Based Propagation
Similar to earlier waves of the Shai-Hulud supply chain attack, the malware incorporates encrypted exfiltration capabilities. Stolen information is transmitted to the endpoint “api.anthropic[.]com:443/v1/api,” while GitHub serves as a secondary communication and propagation channel.
According to Socket, the malware can commit encrypted data packages directly through GitHub’s API.
“It commits the encrypted result envelope through the GitHub API,” Socket said. “The commit message can include: IfYouInvalidateThisTokenItWillNukeTheComputerOfTheOwner:.”
Researchers from OX Security identified the first commit containing the phrase “Miasma: The Spreading Blight” on May 29, 2026. This suggests either that the malware variant had already been active by that date or that attackers began testing the campaign around that time.
GitHub Abuse Enables Verified Malicious Commits
The Miasma malware actively searches for repositories where stolen GitHub tokens possess write permissions. It then inspects action.yml and action.yaml files using GraphQL queries before injecting malicious workflows through GitHub’s createCommitOnBranch mutation.
This technique allows the resulting commits to appear as legitimate, verified, and signed changes, increasing the likelihood that malicious modifications will evade scrutiny.
The malware is also capable of performing several additional actions, including:
- Attempting privilege escalation by launching containers that bind-mount the host’s /etc/sudoers.d directory and grant passwordless sudo access to CI runners.
- Detecting endpoint protection products such as CrowdStrike, SentinelOne, Carbon Black, and StepSecurity Harden-Runner before executing malicious activities.
- Establishing persistence by modifying Anthropic Claude Code through a SessionStart hook.
- Creating Visual Studio Code tasks.json files configured with
"runOn": "folderOpen"to ensure automatic execution whenever a project is opened.
Red Hat GitHub Account Believed to Be Initial Entry Point
Investigators believe the campaign originated from the compromise of a Red Hat employee’s GitHub account. Evidence indicates that the account served as the patient zero event used to inject malicious code into the affected redhat-cloud-services packages.
The compromised account reportedly pushed malicious orphan commits into two RedHatInsights repositories, allowing the attacker to bypass normal code review procedures and introduce the malicious payload.
Recommended Response and Remediation Steps
Security experts advise organizations that installed affected redhat-cloud-services package versions to immediately isolate impacted systems and remove compromised releases. Additional recommendations include:
- Rotating all potentially exposed credentials.
- Reviewing GitHub and npm activity for suspicious behavior.
- Auditing environments for persistence mechanisms.
- Investigating modifications to configuration files such as:
-
- ~/.claude/settings.json
- .vscode/tasks.json
- .github/workflows/codeql.yml
- .github/setup.js
- Enforcing stronger access controls across development environments.
Socket warned that removing the malicious package alone is not sufficient.
“Because the malware includes background execution and potential developer-tool persistence mechanisms, uninstalling the npm package or deleting node_modules should not be considered sufficient cleanup,” Socket explained.
The company also urged organizations operating CI/CD pipelines to suspend affected workflows, invalidate any build artifacts created during the exposure period, and review whether software releases, container images, npm packages, or deployment artifacts were generated after installation of the malicious package.
