Full Report
A new Mini Shai-Hulud supply chain attack campaign, codenamed Miasma, has compromised @redhat-cloud-services packages to steal credentials and secrets from developer machines and deliver a self-propagating worm. "This is effectively a Mini Shai-Hulud campaign: it uses the same core tactics of install-time execution, credential harvesting, CI/CD targeting, encrypted exfiltration, and potential
Analysis Summary
# Incident Report: Miasma Supply Chain Attack
## Executive Summary
The "Miasma" campaign is a sophisticated supply chain attack targeting Red Hat npm packages to deploy a self-propagating "Mini Shai-Hulud" worm. The malware targets developer environments to harvest cloud credentials, CI/CD secrets, and SSH keys while using GitHub and obfuscated API endpoints for exfiltration. The attack is characterized by its high degree of automation and ability to weaponize stolen tokens to further infect the software supply chain.
## Incident Details
- **Discovery Date:** Approximately May 29 – June 1, 2026
- **Incident Date:** Active May 2026
- **Affected Organization:** Users of Red Hat Cloud Services npm packages
- **Sector:** Technology / Software Development
- **Geography:** Global (specifically avoiding Russian-language systems)
## Timeline of Events
### Initial Access
- **Date/Time:** May 29, 2026 (First recorded "Miasma" string commit)
- **Vector:** Compromised npm packages under the `@redhat-cloud-services` scope.
- **Details:** Attackers injected an obfuscated `preinstall` hook into legitimate Red Hat packages, triggering execution automatically upon installation.
### Lateral Movement
- **Propagation:** The malware functions as a worm; it uses stolen GitHub tokens to enumerate repositories and commit malicious workflows to other projects the victim has write access to.
- **Worm Logic:** It repackages tarballs, signs them via Sigstore, and uses GitHub GraphQL mutations to push verified, signed changes to downstream repositories.
### Data Exfiltration/Impact
- **Theft:** Harvesting of GitHub Actions secrets, npm tokens, AWS/GCP/Azure identities, Kubernetes/Vault material, and SSH keys.
- **Exfiltration:** Data is encrypted and sent to `api.anthropic[.]com:443/v1/api` or committed to attacker-controlled public GitHub repositories.
### Detection & Response
- **Discovery:** Identified by security researchers (Socket, Aikido, Wiz, etc.) via behavioral analysis of npm registry changes.
- **Response actions:** Security vendors flagged the malicious packages; impacted organizations (Red Hat) began the process of revoking compromised tokens and removing malicious versions.
## Attack Methodology
- **Initial Access:** Supply chain compromise via malicious npm package updates.
- **Persistence:** Injects hooks into VS Code `tasks.json` ("runOn": "folderOpen") and Anthropic Claude Code `SessionStart`.
- **Privilege Escalation:** Attempts to launch a container that bind-mounts the host `/etc/sudoers.d` to grant the CI runner passwordless sudo.
- **Defense Evasion:** Checks for EDR (CrowdStrike, SentinelOne) and StepSecurity Harden-Runner; skips Russian-language systems.
- **Credential Access:** Scans for local sensitive files (.git-credentials, .npmrc, cloud config files).
- **Discovery:** Enumerates GitHub repositories via GraphQL and checks for endpoint protection software.
- **Lateral Movement:** Automated commits to downstream repositories using stolen developer credentials.
- **Collection:** Aggregates CI/CD secrets, OIDC tokens, and cloud identity material.
- **Exfiltration:** Encrypted data sent via HTTPS to a masqueraded API endpoint or as Git commits.
- **Impact:** Compromise of internal CI/CD pipelines and potential full takeover of cloud environments.
## Impact Assessment
- **Financial:** High potential cost related to incident response, rotating thousands of secrets, and cloud resource abuse.
- **Data Breach:** Exposure of highly sensitive infrastructure-as-code (IaC) secrets and cloud provider root/admin tokens.
- **Operational:** Disruption to development workflows as npm packages were pulled and CI/CD pipelines needed sanitization.
- **Reputational:** High impact on the trust of the `@redhat-cloud-services` npm scope.
## Indicators of Compromise
- **Network:** `api.anthropic[.]com` (Note: used as a masquerade for exfiltration)
- **Files:** `package-updated.tgz`, `.vscode/tasks.json` with "Miasma" strings.
- **Behavior:** `preinstall` scripts executing unauthorized `curl` or `git` commands; unexpected GraphQL calls to GitHub.
- **GitHub String:** `Miasma: The Spreading Blight` (Repo description)
- **GitHub Commit Msg:** `IfYouInvalidateThisTokenItWillNukeTheComputerOfTheOwner:`
## Response Actions
- **Containment:** Removal of malicious versions from the npm registry.
- **Eradication:** Rotation of all GitHub, npm, and Cloud (AWS/GCP/Azure) tokens found on affected developer machines.
- **Recovery:** Reverting malicious commits identified in downstream repositories and restoring CI/CD integrity.
## Lessons Learned
- **Trust Maturity:** Even "trusted" organization scopes (like Red Hat) require automated scanning for malicious preinstall hooks.
- **Token Scope:** Over-privileged developer tokens allowed the worm to self-propagate effortlessly across different repositories.
- **Verification:** Attackers are now capable of signing malicious commits (Sigstore/verified commits), making manual code review harder.
## Recommendations
- **Strict Dependencies:** Use `ignore-scripts` in `.npmrc` to prevent automatic execution of preinstall hooks.
- **Least Privilege:** Enforce fine-grained personal access tokens (PATs) with minimal repository access.
- **CI/CD Hardening:** Use tools like StepSecurity to restrict egress traffic from CI/CD runners to only authorized domains.
- **Egress Monitoring:** Monitor for unusual traffic patterns from developer workstations to public APIs or GitHub during package installation.