Miasma Supply Chain Attack Compromises Red Hat npm Packages with Credential-Stealing Worm

Overview

A new supply chain attack campaign codenamed Miasma has compromised @redhat-cloud-services npm packages, introducing a self-propagating credential-stealing worm into one of the most widely used enterprise cloud SDK ecosystems. The campaign follows the Mini Shai-Hulud playbook that has defined the most dangerous supply chain attacks of 2026: infiltrate a trusted package, steal developer credentials and secrets, then spread.

Security researchers confirmed that the attack uses the same core tactics as previous Mini Shai-Hulud campaigns — installing credential theft payloads and propagating by compromising additional npm packages via stolen maintainer tokens.

What Is Miasma

Miasma is the latest named variant of the Mini Shai-Hulud supply chain attack campaign that has plagued the npm ecosystem throughout 2026. The campaign name derives from its characteristic "miasma" spread pattern — like a toxic vapor, the worm spreads silently and broadly before detection.

Researchers describe the core attack mechanism:

"This is effectively a Mini Shai-Hulud campaign: it uses the same core tactics of installing credential theft components and propagating through developer machines and package ecosystems."

Targeted Packages

The Miasma campaign specifically targeted the @redhat-cloud-services npm package namespace, which is maintained by Red Hat engineers and used extensively in:

OpenShift cloud platform tooling
Red Hat Hybrid Cloud Console integrations
Enterprise Kubernetes management toolchains
DevOps automation pipelines for Red Hat enterprise customers

The targeting of Red Hat's npm packages is particularly significant because these packages are embedded in CI/CD pipelines across enterprise environments that manage critical cloud infrastructure.

Attack Chain

1. Attacker compromises a Red Hat npm package maintainer account
   (via phishing, credential stuffing, or prior credential theft)
 
2. Malicious code injected into @redhat-cloud-services package(s)
   - Install hook executes credential theft payload silently
   - Targets: AWS credentials, GitHub tokens, .env files, CI/CD secrets
 
3. Developer installs or updates affected package(s)
   - Payload activates on npm install / postinstall hook
   - Secrets exfiltrated to attacker-controlled infrastructure
 
4. Stolen credentials used to compromise additional npm packages
   - Self-propagating: worm spreads to packages maintained by
     compromised developers
   - New victims added to attacker's credential cache
 
5. CI/CD pipeline compromise
   - GitHub Actions tokens, Kubernetes service accounts,
     and cloud provider credentials harvested at scale

Comparison to Prior Mini Shai-Hulud Attacks

Campaign	Month	Targets	Impact
Original Mini Shai-Hulud	April 2026	SAP npm packages	1,800+ packages
TanStack Campaign	May 2026	React ecosystem	OpenAI, Grafana, GitHub
Miasma	June 2026	Red Hat @redhat-cloud-services	Enterprise cloud tooling

Each successive campaign has demonstrated an evolution in targeting strategy — moving from general developer tooling (SAP) to widely-used frontend frameworks (TanStack) and now to enterprise cloud infrastructure toolchains (Red Hat).

Scope of Exposure

Organizations that may be affected include:

OpenShift users who install or update @redhat-cloud-services packages
Red Hat Hybrid Cloud Console integration developers
Enterprise DevOps teams using Red Hat cloud tooling in CI/CD pipelines
Any developer who ran npm install including @redhat-cloud-services packages during the attack window

The self-propagating nature of the worm means that downstream packages and maintainers who had no direct connection to Red Hat's packages may also have been compromised if they share maintainer credentials with affected developers.

Immediate Actions

If You Use @redhat-cloud-services npm Packages

Audit your package-lock.json for @redhat-cloud-services dependencies
```
grep "@redhat-cloud-services" package-lock.json
```

Check npm install logs for suspicious postinstall scripts

npm install --verbose 2>&1 | grep -i "postinstall\|script"

Rotate all secrets accessible from affected developer machines
- AWS IAM credentials
- GitHub personal access tokens
- Kubernetes service account tokens
- .env file contents exposed during installs

Audit CI/CD pipeline credentials for any unexpected access

# Review recent AWS CloudTrail events for unexpected API calls
aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=AssumeRole
 
# Check GitHub Actions secret usage logs via API
gh api /repos/{owner}/{repo}/actions/secrets

Long-Term Supply Chain Hardening

// package.json — pin packages to exact versions
{
  "dependencies": {
    "@redhat-cloud-services/frontend-components": "4.2.1"
  }
}

# npm config — consider using npm audit in CI/CD
# .npmrc
audit=true
ignore-scripts=false  # Review any scripts before enabling

Red Hat's Response

Red Hat has been notified of the campaign and is expected to:

Remove malicious package versions from the npm registry
Rotate all maintainer credentials across the @redhat-cloud-services scope
Audit all recent package updates for unauthorized modifications
Issue security advisory detailing affected package versions and remediation guidance

Developers should monitor Red Hat's security advisories and the npm security feed for official guidance on specific affected package versions.

The Growing Mini Shai-Hulud Ecosystem

The Miasma campaign confirms that the Mini Shai-Hulud attack methodology has become a template adopted by multiple threat actors. The original worm's source code release in May 2026 further lowered the barrier to entry:

Source code publicly released: May 15, 2026
New campaigns spawned: Multiple within weeks of release
Target diversity expanding: From developer tools to enterprise cloud infrastructure

This evolution from a single threat actor's campaign to a broadly replicated attack methodology represents a significant escalation in supply chain risk for the entire npm ecosystem.

Key Takeaways

Miasma is the third major Mini Shai-Hulud campaign in 2026 — enterprise cloud tooling is now squarely in scope
@redhat-cloud-services packages compromised — OpenShift and Hybrid Cloud Console developers should audit immediately
Rotate all secrets accessible from any machine that installed affected packages
Self-propagating worm means blast radius extends beyond direct @redhat-cloud-services users
CI/CD pipeline credentials are the primary target — cloud and Kubernetes credentials at risk

Sources

The Hacker News — Miasma Supply Chain Attack Compromises Red Hat npm Packages with Credential-Stealing Worm

Overview

What Is Miasma

Researchers describe the core attack mechanism:

"This is effectively a Mini Shai-Hulud campaign: it uses the same core tactics of installing credential theft components and propagating through developer machines and package ecosystems."

Targeted Packages

The Miasma campaign specifically targeted the @redhat-cloud-services npm package namespace, which is maintained by Red Hat engineers and used extensively in:

OpenShift cloud platform tooling
Red Hat Hybrid Cloud Console integrations
Enterprise Kubernetes management toolchains
DevOps automation pipelines for Red Hat enterprise customers

The targeting of Red Hat's npm packages is particularly significant because these packages are embedded in CI/CD pipelines across enterprise environments that manage critical cloud infrastructure.

Attack Chain

1. Attacker compromises a Red Hat npm package maintainer account
   (via phishing, credential stuffing, or prior credential theft)
 
2. Malicious code injected into @redhat-cloud-services package(s)
   - Install hook executes credential theft payload silently
   - Targets: AWS credentials, GitHub tokens, .env files, CI/CD secrets
 
3. Developer installs or updates affected package(s)
   - Payload activates on npm install / postinstall hook
   - Secrets exfiltrated to attacker-controlled infrastructure
 
4. Stolen credentials used to compromise additional npm packages
   - Self-propagating: worm spreads to packages maintained by
     compromised developers
   - New victims added to attacker's credential cache
 
5. CI/CD pipeline compromise
   - GitHub Actions tokens, Kubernetes service accounts,
     and cloud provider credentials harvested at scale

Comparison to Prior Mini Shai-Hulud Attacks

Campaign	Month	Targets	Impact
Original Mini Shai-Hulud	April 2026	SAP npm packages	1,800+ packages
TanStack Campaign	May 2026	React ecosystem	OpenAI, Grafana, GitHub
Miasma	June 2026	Red Hat @redhat-cloud-services	Enterprise cloud tooling

Scope of Exposure

Organizations that may be affected include:

OpenShift users who install or update @redhat-cloud-services packages
Red Hat Hybrid Cloud Console integration developers
Enterprise DevOps teams using Red Hat cloud tooling in CI/CD pipelines
Any developer who ran npm install including @redhat-cloud-services packages during the attack window

Immediate Actions

If You Use @redhat-cloud-services npm Packages

Audit your package-lock.json for @redhat-cloud-services dependencies
```
grep "@redhat-cloud-services" package-lock.json
```

Check npm install logs for suspicious postinstall scripts

npm install --verbose 2>&1 | grep -i "postinstall\|script"

Rotate all secrets accessible from affected developer machines
- AWS IAM credentials
- GitHub personal access tokens
- Kubernetes service account tokens
- .env file contents exposed during installs

Audit CI/CD pipeline credentials for any unexpected access

# Review recent AWS CloudTrail events for unexpected API calls
aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=AssumeRole
 
# Check GitHub Actions secret usage logs via API
gh api /repos/{owner}/{repo}/actions/secrets

Long-Term Supply Chain Hardening

// package.json — pin packages to exact versions
{
  "dependencies": {
    "@redhat-cloud-services/frontend-components": "4.2.1"
  }
}

# npm config — consider using npm audit in CI/CD
# .npmrc
audit=true
ignore-scripts=false  # Review any scripts before enabling

Red Hat's Response

Red Hat has been notified of the campaign and is expected to:

Remove malicious package versions from the npm registry
Rotate all maintainer credentials across the @redhat-cloud-services scope
Audit all recent package updates for unauthorized modifications
Issue security advisory detailing affected package versions and remediation guidance

Developers should monitor Red Hat's security advisories and the npm security feed for official guidance on specific affected package versions.

The Growing Mini Shai-Hulud Ecosystem

Source code publicly released: May 15, 2026
New campaigns spawned: Multiple within weeks of release
Target diversity expanding: From developer tools to enterprise cloud infrastructure

This evolution from a single threat actor's campaign to a broadly replicated attack methodology represents a significant escalation in supply chain risk for the entire npm ecosystem.

Key Takeaways

Miasma is the third major Mini Shai-Hulud campaign in 2026 — enterprise cloud tooling is now squarely in scope
@redhat-cloud-services packages compromised — OpenShift and Hybrid Cloud Console developers should audit immediately
Rotate all secrets accessible from any machine that installed affected packages
Self-propagating worm means blast radius extends beyond direct @redhat-cloud-services users
CI/CD pipeline credentials are the primary target — cloud and Kubernetes credentials at risk

Sources

The Hacker News — Miasma Supply Chain Attack Compromises Red Hat npm Packages with Credential-Stealing Worm

Miasma Supply Chain Attack Compromises Red Hat npm Packages with Credential-Stealing Worm

Overview

What Is Miasma

Targeted Packages

Attack Chain

Comparison to Prior Mini Shai-Hulud Attacks

Scope of Exposure

Immediate Actions

If You Use @redhat-cloud-services npm Packages

Long-Term Supply Chain Hardening

Red Hat's Response

The Growing Mini Shai-Hulud Ecosystem

Key Takeaways

Sources

Worm Redux: Fresh Mini Shai-Hulud Infections Bite npm

The Hackers Behind Shai-Hulud: Lucky or Skilled?

Mini Shai-Hulud Pushes Malicious AntV npm Packages via

Miasma Supply Chain Attack Compromises Red Hat npm Packages with Credential-Stealing Worm

Overview

What Is Miasma

Targeted Packages

Attack Chain

Comparison to Prior Mini Shai-Hulud Attacks

Scope of Exposure

Immediate Actions

If You Use @redhat-cloud-services npm Packages

Long-Term Supply Chain Hardening

Red Hat's Response

The Growing Mini Shai-Hulud Ecosystem

Key Takeaways

Sources

Worm Redux: Fresh Mini Shai-Hulud Infections Bite npm

The Hackers Behind Shai-Hulud: Lucky or Skilled?

Mini Shai-Hulud Pushes Malicious AntV npm Packages via