Numerous npm packages in the @redhat-cloud-services namespace were compromised as part of a campaign codenamed Miasma. According to researchers from Socket, Wiz, JFrog and several other companies, malicious code was injected via an obfuscated preinstall hook and is aimed at stealing GitHub Actions secrets, npm tokens, cloud credentials, SSH keys, and Kubernetes and Vault artifacts from developers’ machines. The malware exhibits properties of a self-propagating worm capable of poisoning the downstream software supply chain. Organizations using the affected packages must immediately isolate compromised hosts and rotate all potentially exposed credentials.
Affected packages and attack mechanism
The following packages are reported to be compromised:
- @redhat-cloud-services/vulnerabilities-client
- @redhat-cloud-services/tsc-transform-imports
- @redhat-cloud-services/topological-inventory-client
- @redhat-cloud-services/sources-client
- @redhat-cloud-services/rule-components
- @redhat-cloud-services/remediations-client
- @redhat-cloud-services/rbac-client
The campaign is classified as a variant of Mini Shai-Hulud—a series of supply chain attacks that leverage code execution at package installation time, credential harvesting, CI/CD pipeline compromise, encrypted exfiltration, and propagation to downstream dependencies. Attribution of the campaign has not yet been established.
Technical details of malicious behavior
Data collection and exfiltration
The malicious preinstall hook collects a wide range of secrets: GitHub Actions tokens, npm tokens, cloud credentials, Kubernetes and HashiCorp Vault artifacts, SSH keys, and Git configurations. According to Wiz, this variant adds new collectors focused on GCP and Azure cloud identities, indicating that the attackers are shifting their focus toward gaining access to cloud infrastructure itself, not just extracting secrets from it.
Encrypted data is sent to api.anthropic.com:443/v1/api, and as a fallback exfiltration channel it uses public GitHub repositories with the description “Miasma: The Spreading Blight”. According to SafeDep, in the npm environment the malware invokes OIDC token exchange and whoami endpoints, repackages a tarball archive (package-updated.tgz), and signs the artifact via Sigstore, lending it an appearance of legitimacy.
A distinctive detail: when committing via the GitHub API, the commit message may contain the string IfYouInvalidateThisTokenItWillNukeTheComputerOfTheOwner:<token>—apparently a social engineering element intended to discourage administrators from revoking compromised tokens.
Propagation via CI/CD
The malware enumerates GitHub repositories to which the stolen token has write access, reads action.yml/action.yaml files via GraphQL, and creates a workflow commit via the createCommitOnBranch mutation. The result appears as a verified, signed change, which makes detection during code review significantly more difficult.
Evasion and privilege escalation
Before executing its primary malicious actions, the malware checks for the presence of endpoint protection tools—CrowdStrike, SentinelOne, Carbon Black, and StepSecurity Harden-Runner. For privilege escalation, it attempts to start a container that mounts the host directory /etc/sudoers.d, granting the CI runner passwordless sudo access.
It is also noted that the malware does not execute on systems with a Russian-language locale—a pattern previously observed in GlassWorm campaigns.
Persistence mechanisms
The malware persists in development tools in two ways:
- Injecting a SessionStart hook into the Anthropic Claude Code configuration (
~/.claude/settings.json) - Adding a task to
.vscode/tasks.jsonwith the parameter"runOn": "folderOpen"for Visual Studio Code projects, ensuring automatic execution every time the project folder is opened
In addition, each infection is believed to generate a uniquely encrypted payload, which greatly complicates signature-based detection and tracking of malware versions.
Timeline and context
According to OX Security, the first commit containing the string “Miasma: The Spreading Blight” is dated 29 May 2026, which points either to the start of the campaign’s active phase or to the attackers’ infrastructure testing period. The incident has been confirmed by multiple independent research teams, including Aikido Security, StepSecurity, and Microsoft Threat Intelligence. At the same time, no official incident report from Red Hat was available at the time of publication.
Impact assessment
Packages in the @redhat-cloud-services namespace are widely used in the Red Hat Insights ecosystem—a platform for monitoring and managing Red Hat Enterprise Linux infrastructure. The compromise primarily affects:
- Development teams working with Red Hat cloud services and using these packages as dependencies
- CI/CD pipelines where installation of the compromised packages leads to secret leakage and potential contamination of build artifacts
- Organizations’ cloud infrastructure whose GCP, Azure, and AWS identities may have been stolen
The self-propagating nature of the malware means that a single compromised development environment can become the entry point for infecting numerous downstream repositories and artifacts.
Response recommendations
Simply deleting the npm package or the node_modules directory is not a sufficient remediation measure, because the malware includes background execution and persistence mechanisms in developer tools.
- Isolate all hosts on which affected versions of the packages were installed
- Rotate all potentially exposed credentials: npm tokens, GitHub tokens, SSH keys, cloud credentials, Kubernetes and Vault secrets
- Check for persistence artifacts in the following files:
~/.claude/settings.json.vscode/tasks.json.github/workflows/codeql.yml.github/setup.js
- Audit GitHub activity for suspicious commits, especially those signed via
createCommitOnBranch, and npm publications during the exposure period - For CI/CD: suspend affected workflows, invalidate all build artifacts created during the exposure period, and examine every container image, npm package, and deployment artifact published after installing the malicious package
- Strengthen access control: enforce mandatory review for changes to GitHub Actions workflows and restrict token permissions according to the principle of least privilege
The Miasma campaign demonstrates a mature supply chain attack model that combines credential theft, abuse of trust in signed artifacts, and automatic propagation via CI/CD. Organizations using any packages from the @redhat-cloud-services namespace should immediately audit their dependencies, perform a full secret rotation, and review all build artifacts created since late May 2026—until Red Hat officially confirms that the threat has been fully addressed.
