Miasma Worm Infects 32 Red Hat npm Packages, Steals Cloud Credentials and Propagates Through CI/CD Pipelines

On June 1, 2026, at least 32 package releases under the @redhat-cloud-services npm namespace were found to contain unauthorized malicious modifications [1]. These packages collectively average roughly 80,000 weekly downloads [1][3], and one count puts them at 116,991 weekly downloads across 96 compromised versions [5]. The malware, which names itself "Miasma: The Spreading Blight" in its own payload logic [6], is a new variant of the Mini Shai-Hulud worm family. It steals credentials, enumerates cloud identities, and propagates through developer systems and CI/CD pipelines. Most malicious versions were revoked by 1PM UTC on June 1, though at least two remained live at the time of Wiz's initial reporting [1].

Red Hat confirmed awareness and stated the compromise was limited to internal development tooling [7]. At the time of BleepingComputer's reporting, 309 GitHub repositories had been compromised by the Miasma campaign [7].

Background: TeamPCP and the Shai-Hulud Lineage

Miasma didn't appear from nowhere. The threat actor group TeamPCP (tracked as Replicating Marauder, TGR-CRI-1135, and UNC6780) open-sourced the underlying Shai-Hulud attack tooling earlier in 2026 [2][3]. The TanStack and Bitwarden compromises used the same fundamental pattern: turning the CI/CD pipeline itself into the attack surface [5].

CISA added CVE-2026-48027 (malicious Nx Console version) to its Known Exploited Vulnerabilities catalog and warned about supply chain compromises including the Megalodon campaign that injected malicious GitHub Action workflows [10].

Miasma is not just a copy of Mini Shai-Hulud. The notable upgrade is a pair of new collectors for GCP and Azure that enumerate every identity the infected host can assume, not just static secrets [3]. This represents a shift from harvesting stored credentials to mapping out the full scope of cloud access available from a compromised developer workstation or CI runner.

Initial Access: Compromised GitHub Account and CI/CD Abuse

Evidence indicates that a specific Red Hat employee GitHub account was compromised and used to inject the malware into these packages [1]. Whiteintel detected Red Hat GitHub credentials and a session cookie in infostealer logs on April 13 and May 15, 2026 [2]. The first commit containing the "Miasma: The Spreading Blight" string appeared on May 29, 2026 [2].

The malicious packages were published via GitHub Actions OIDC tokens, meaning the attackers compromised the CI/CD pipeline rather than directly publishing to npm with stolen npm credentials [4][5]. This is a critical detail: OIDC-based publishing is supposed to be more secure than static token-based publishing, but it becomes useless once the pipeline itself is owned.

Payload Execution and Credential Theft

The malicious payload is a 4.2 MB obfuscated file that executes automatically during npm install [4]. The malware generates a uniquely encrypted payload for each infection [1], making signature-based detection harder.

Once running, the malware downloads the Bun runtime from GitHub releases to avoid detection by tools that monitor for Node.js-based execution [9]. It creates transient files in /tmp/ for its operations [6][9] and uses a lock file (tmp.0987654321.lock) to prevent duplicate instances from running on the same host [9].

Credential collection is aggressive and broad. The malware targets:

• GitHub Actions secrets including GITHUB_TOKEN and ACTIONS_RUNTIME_TOKEN [5]
• AWS, GCP, and Azure service account credentials [5]
• Shell environment variables [6]
• GitHub CLI tokens via gh auth token [6]
• GCP identities using a spoofed user-agent string mimicking google-api-nodejs-client/7.0.0 [1]
• Azure identities through newly added collectors [3]
• AI developer tool configurations like .claude/settings.json [3]

The malware enumerates repositories the token can write to and commits workflows through the createCommitOnBranch GraphQL mutation [2].

Persistence Mechanisms

Miasma installs persistent monitoring services on both Linux and macOS [4]:

• Linux: A systemd user service called kitty-monitor installed at ~/.config/systemd/user/k [4][6]
• macOS: A launch agent at com.user.kitty-monitor.plist [4]
• VS Code: Persistence through .vscode/tasks.json to re-execute on IDE launch [3]

A destructive component called gh-token-monitor watches stolen GitHub tokens. The malware can execute destructive commands, including wiping the user's home directory, when a stolen token gets revoked before persistence is removed [4]. This creates a nasty catch-22 for incident responders: revoking tokens without first cleaning the infected host can trigger data destruction.

Evasion and Anti-Analysis

The malware includes multiple evasion techniques:

• Locale check: Avoids execution on Russian-language systems [2]
• EDR detection: Probes for CrowdStrike, SentinelOne, Carbon Black, and StepSecurity Harden-Runner before deciding how to operate [2][9]
• C2 camouflage: Uses anthropic.ai/v1/api as a C2 communication endpoint, mimicking a legitimate AI API route that doesn't actually exist on Anthropic's infrastructure [4]
• Exfiltration to code repos: Stolen credentials are committed as JSON files to attacker-controlled public GitHub repositories with the description "Miasma: The Spreading Blight" [2][6]

The exfiltration pattern is particularly clever. By writing stolen data to GitHub repositories as results/results-<timestamp>-<counter>.json files [6], the malware avoids traditional network-based exfiltration detection. GitHub traffic is almost universally allowlisted in enterprise environments.

Propagation

Miasma repackages compromised packages into a package-updated.tgz tarball [2] and uses stolen credentials to propagate further. The worm creates public GitHub repositories for credential dead-drops [2] and leverages stolen GITHUB_TOKEN values to access additional repositories and CI/CD pipelines.

IOC Table

MITRE ATT&CK Mapping

Detection and Hunting

File system indicators: Search developer workstations and CI runners for /tmp/p.js, /tmp/b-/bun, /tmp/kitty-*, and tmp.0987654321.lock [9].

Persistence artifacts: Check for kitty-monitor.service in ~/.config/systemd/user/ on Linux and com.user.kitty-monitor.plist in ~/Library/LaunchAgents/ on macOS [4][6]. Also check .vscode/tasks.json and .claude/settings.json for unauthorized modifications [3].

GitHub audit logs: Hunt for unexpected repository creation events, especially repos with "Miasma" or "Spreading Blight" in the description [6]. Look for bulk commits to repositories under results/ directories [6].

Network telemetry: Monitor for DNS queries or HTTP requests to anthropic.ai/v1/api, which is not a valid Anthropic endpoint [4]. Also watch for unexpected downloads from github.com matching Bun release binaries on systems where Bun isn't part of the standard toolchain [9].

npm audit: Run npm audit and check for any @redhat-cloud-services packages. Cross-reference installed versions against the known-clean versions published after the incident. Look for packages with _index.js files or index.js files larger than 4 MB [1][3].

SIEM query (Splunk example):

index=endpoint (file_path="/tmp/p*.js" OR file_path="/tmp/b-*/bun" OR file_path="*kitty-monitor*" OR file_path="*tmp.0987654321.lock")

CI/CD pipeline review: Audit GitHub Actions workflow runs for any @redhat-cloud-services packages. Check for unexpected OIDC token usage or workflow modifications between May 29 and June 1, 2026 [2][4].

Analysis

Miasma represents a maturation of the Shai-Hulud family from a proof-of-concept worm into a targeted campaign against a major enterprise vendor's development ecosystem. The shift from stealing static secrets to enumerating every assumable cloud identity [3] signals that the actors understand modern cloud architectures. A stolen service account key is valuable. A map of every role and identity a developer machine can assume across AWS, GCP, and Azure is worth far more.

The timeline is telling. Infostealer logs containing Red Hat credentials appeared on April 13 and May 15 [2]. The first malicious commit landed May 29 [2]. That's a six-week window between credential theft and operational use, suggesting either careful planning or the credentials changed hands between the initial stealer operator and TeamPCP.

The destructive wipe capability tied to token revocation [4] is a deliberate anti-response mechanism. It punishes defenders who follow standard incident response playbooks (revoke tokens first, ask questions later) without first ensuring infected endpoints are clean.

References

[1] https://www.wiz.io/blog/miasma-supply-chain-attack-targeting-redhat-npm-packages

[2] https://thehackernews.com/2026/06/miasma-supply-chain-attack-compromises.html

[3] https://snyk.io/blog/miasma-supply-chain-attack-malicious-code-redhat-cloud-services-npm-packages/

[4] https://cybersecuritynews.com/red-hat-cloud-services-npm-packages/

[5] https://www.aikido.dev/blog/red-hat-npm-packages-compromised-credential-stealing-worm

[6] https://research.jfrog.com/post/shai-hulud-miasma-redhat-cloud-services/

[7] https://www.bleepingcomputer.com/news/security/red-hat-npm-packages-compromised-to-steal-developer-credentials/

[8] https://www.rescana.com/post/openai-macos-products-impacted-by-tanstack-supply-chain-attack-via-mini-shai-hulud-malware-in-teampcp-campaign/

[9] https://thecybersecguru.com/news/red-hat-npm-packages-compromised-miasma-worm/

[10] https://www.cisa.gov/news-events/alerts/2026/05/28/supply-chain-compromises-impact-nx-console-and-github-repositories

Hunt Guide: Hunt Report: Miasma Worm Supply Chain Campaign

Hypothesis: If TeamPCP/Miasma worm is active in our environment, we expect to observe npm package modifications, persistence artifacts (kitty-monitor), credential theft patterns, and C2 communications to fake Anthropic endpoints in Sysmon, npm audit logs, and network telemetry.

Intelligence Summary: The Miasma worm infected 32 Red Hat npm packages on June 1, 2026, stealing cloud credentials and propagating through CI/CD pipelines. This TeamPCP variant adds GCP/Azure identity enumeration and includes a destructive component that wipes data if tokens are revoked before cleanup.

Confidence: High | Priority: Critical

Scope

• Networks: All developer workstations, CI/CD runners, build servers with npm/Node.js environments
• Timeframe: April 13, 2026 to present (focus on May 29 - June 1 for initial compromise)
• Priority Systems: GitHub Actions runners, Jenkins/GitLab CI nodes, developer laptops with npm access, systems with cloud provider credentials

MITRE ATT&CK Techniques

T1195.001 — Supply Chain Compromise: Compromise Software Dependencies and Development Tools (Initial Access) [P1]

Malicious code injected into @redhat-cloud-services npm packages via compromised GitHub Actions OIDC tokens

Splunk SPL:

index=npm_logs sourcetype=npm_audit (@redhat-cloud-services OR package_name="@redhat-cloud-services/*") | eval suspicious=if(file_size>4000000 AND (file_name="index.js" OR file_name="_index.js"), "true", "false") | where suspicious="true" | stats count by package_name, version, file_name, file_size | table package_name, version, file_name, file_size

Elastic KQL:

event.module:npm AND (package.name:"@redhat-cloud-services/*" OR package.namespace:"@redhat-cloud-services") AND ((file.name:"index.js" AND file.size:>4000000) OR file.name:"_index.js")

Sigma Rule:

title: Miasma Worm npm Package Infection
id: a7c9f8e2-5b1d-4a3c-9e8f-2b4d5c7e9a1f
status: experimental
author: RedSheep Security/Stone
description: Detects potential Miasma worm infection in npm packages
references:
    - https://www.wiz.io/blog/miasma-supply-chain-attack-targeting-redhat-npm-packages
logsource:
    product: npm
    service: audit
detection:
    selection:
        package_namespace: '@redhat-cloud-services'
        file_name:
            - 'index.js'
            - '_index.js'
    filter:
        file_size: '>4000000'
    condition: selection and filter
falsepositives:
    - Legitimate large JavaScript files in Red Hat packages
level: high
tags:
    - attack.initial_access
    - attack.t1195.001

Focus on packages with abnormally large index.js files (>4MB). Cross-reference against known-good package versions published after June 1, 2026.

T1543.001 — Create or Modify System Process: Launch Agent (Persistence) [P1]

Installs kitty-monitor systemd service on Linux and launch agent on macOS for persistence

Splunk SPL:

index=endpoint sourcetype=sysmon EventCode=11 (TargetFilename="*/.config/systemd/user/kitty-monitor.service" OR TargetFilename="*/Library/LaunchAgents/com.user.kitty-monitor.plist" OR TargetFilename="*/.config/systemd/user/k") | stats count by ComputerName, TargetFilename, ProcessId, Image | table _time, ComputerName, TargetFilename, ProcessId, Image

Elastic KQL:

event.code:11 AND (file.path:"*/.config/systemd/user/kitty-monitor.service" OR file.path:"*/Library/LaunchAgents/com.user.kitty-monitor.plist" OR file.path:"*/.config/systemd/user/k")

Sigma Rule:

title: Miasma Kitty-Monitor Persistence
id: b8f5d7a3-6c2e-4d9a-8f7b-3a5e6d8c9b2a
status: stable
author: Florian Roth (adapted)
description: Detects Miasma worm persistence mechanism creation
references:
    - https://research.jfrog.com/post/shai-hulud-miasma-redhat-cloud-services/
logsource:
    product: linux
    service: auditd
detection:
    selection:
        type: 'PATH'
        name:
            - '*/kitty-monitor.service'
            - '*/com.user.kitty-monitor.plist'
            - '*/.config/systemd/user/k'
    condition: selection
falsepositives:
    - Unknown
level: critical
tags:
    - attack.persistence
    - attack.t1543.001

High-confidence indicator. Any kitty-monitor service creation should be investigated immediately.

T1552.001 — Unsecured Credentials: Credentials In Files (Credential Access) [P2]

Harvests GitHub tokens, cloud credentials, and AI tool configurations from developer systems

Splunk SPL:

index=endpoint sourcetype=sysmon EventCode=1 (CommandLine="*gh auth token*" OR (Image="*/bun" AND CommandLine="*/tmp/p*.js") OR ProcessName="gh-token-monitor") | stats count by ComputerName, CommandLine, ProcessId, ParentProcessId | table _time, ComputerName, CommandLine, ProcessId, ParentProcessId

Elastic KQL:

process.command_line:("gh auth token" OR "/tmp/p*.js") OR process.name:("gh-token-monitor" OR "bun")

Monitor for gh CLI token access and Bun runtime execution of temporary JavaScript files

T1567.001 — Exfiltration Over Web Service: Exfiltration to Code Repository (Exfiltration) [P1]

Commits stolen credentials as JSON files to attacker-controlled GitHub repositories

Splunk SPL:

index=github_audit action="repo.create" OR action="git.push" | regex description=".*Miasma.*Spreading Blight.*" OR regex path="results/results-.*-.*\.json" | stats count by actor, repo, action, description | table _time, actor, repo, action, description

Elastic KQL:

event.action:("repo.create" OR "git.push") AND (repository.description:"*Miasma*" OR file.path:"results/results-*.json")

Search for repos with 'Miasma' or 'Spreading Blight' in descriptions and results/.json commit patterns*

T1071.001 — Application Layer Protocol: Web Protocols (Command and Control) [P1]

Uses fake anthropic.ai/v1/api endpoint for C2 communications

Splunk SPL:

index=proxy OR index=dns (dest="anthropic.ai" AND uri_path="/v1/api*") OR (query="anthropic.ai" AND record_type="A") | eval is_c2=if(uri_path="/v1/api", "true", "false") | where is_c2="true" | stats count by src_ip, dest, uri_path, user_agent | table _time, src_ip, dest, uri_path, user_agent

Elastic KQL:

(destination.domain:"anthropic.ai" AND url.path:"/v1/api*") OR (dns.question.name:"anthropic.ai" AND url.path:"/v1/api")

anthropic.ai/v1/api is not a legitimate Anthropic endpoint. Any traffic to this path indicates compromise.

T1485 — Data Destruction (Impact) [P1]

gh-token-monitor process wipes home directory if GitHub tokens are revoked before cleanup

Splunk SPL:

index=endpoint sourcetype=sysmon EventCode=1 (ProcessName="gh-token-monitor" OR CommandLine="*rm -rf ~/*" OR CommandLine="*rm -rf $HOME*") | stats count by ComputerName, ProcessName, CommandLine, ParentProcessName | table _time, ComputerName, ProcessName, CommandLine, ParentProcessName

Elastic KQL:

process.name:"gh-token-monitor" OR process.command_line:("rm -rf ~/" OR "rm -rf $HOME")

Critical to identify gh-token-monitor processes BEFORE revoking any tokens to prevent data destruction

T1027 — Obfuscated Files or Information (Defense Evasion) [P2]

4.2MB obfuscated JavaScript payload uniquely encrypted per infection

Splunk SPL:

index=endpoint sourcetype=sysmon EventCode=11 (TargetFilename="*/tmp/p*.js" OR TargetFilename="*/tmp/b-*/bun" OR TargetFilename="*/tmp/kitty-*" OR TargetFilename="*tmp.0987654321.lock") | stats count by ComputerName, TargetFilename, ProcessId, Image | table _time, ComputerName, TargetFilename, ProcessId, Image

Elastic KQL:

file.path:("/tmp/p*.js" OR "/tmp/b-*/bun" OR "/tmp/kitty-*" OR "*tmp.0987654321.lock")

Monitor /tmp/ for transient JavaScript files and Bun runtime downloads

T1562.001 — Impair Defenses: Disable or Modify Tools (Defense Evasion) [P3]

Probes for CrowdStrike, SentinelOne, Carbon Black, and StepSecurity before execution

Splunk SPL:

index=endpoint (ProcessName="CrowdStrike*" OR ProcessName="SentinelOne*" OR ProcessName="CarbonBlack*" OR ProcessName="*falcon*" OR ProcessName="*sentinel*") | transaction ComputerName maxspan=5m | search eventcount>5 | stats values(ProcessName) as security_tools by ComputerName | table ComputerName, security_tools

Elastic KQL:

process.name:("CrowdStrike*" OR "SentinelOne*" OR "CarbonBlack*" OR "*falcon*" OR "*sentinel*")

Look for rapid enumeration of multiple security tools within short timeframes

Indicators of Compromise

IOC Sweep Queries (Splunk):

index=proxy OR index=dns dest="anthropic.ai" uri_path="/v1/api*" | stats count by src_ip, dest, uri_path | table src_ip, dest, uri_path, count

index=endpoint (filename="_index.js" OR TargetFilename="*/_index.js") | stats count by ComputerName, filename, file_path | table ComputerName, filename, file_path

index=endpoint filename="index.js" file_size>4000000 | stats count by ComputerName, filename, file_path, file_size | table ComputerName, filename, file_path, file_size

index=endpoint (filename="package-updated.tgz" OR TargetFilename="*/package-updated.tgz") | stats count by ComputerName, filename, file_path | table ComputerName, filename, file_path

index=endpoint (filename="tmp.0987654321.lock" OR TargetFilename="*/tmp.0987654321.lock") | stats count by ComputerName, filename, file_path | table ComputerName, filename, file_path

index=endpoint (filename="kitty-monitor.service" OR TargetFilename="*kitty-monitor.service") | stats count by ComputerName, filename, file_path | table ComputerName, filename, file_path

index=endpoint (filename="com.user.kitty-monitor.plist" OR TargetFilename="*com.user.kitty-monitor.plist") | stats count by ComputerName, filename, file_path | table ComputerName, filename, file_path

index=endpoint (ProcessName="gh-token-monitor" OR filename="gh-token-monitor") | stats count by ComputerName, ProcessName, filename | table ComputerName, ProcessName, filename

index=endpoint (filename="settings.json" AND file_path="*.claude/*") | stats count by ComputerName, filename, file_path | table ComputerName, filename, file_path

index=endpoint (filename="tasks.json" AND file_path="*.vscode/*") file_modify_time>relative_time(now(), "-7d") | stats count by ComputerName, filename, file_path | table ComputerName, filename, file_path

YARA Rules

Miasma_Worm_Strings — Detects Miasma worm based on unique string patterns

rule Miasma_Worm_Strings {
    meta:
        description = "Detects Miasma worm infection markers"
        author = "RedSheep Security/Stone"
        date = "2026-06-07"
        reference = "https://research.jfrog.com/post/shai-hulud-miasma-redhat-cloud-services/"
    strings:
        $s1 = "Miasma: The Spreading Blight" ascii wide
        $s2 = "kitty-monitor" ascii
        $s3 = "gh-token-monitor" ascii
        $s4 = "tmp.0987654321.lock" ascii
        $s5 = "package-updated.tgz" ascii
        $s6 = "results/results-" ascii
        $s7 = "google-api-nodejs-client/7.0.0" ascii
        $s8 = "anthropic.ai/v1/api" ascii
    condition:
        uint16(0) == 0x5A4D and (2 of ($s*)) or
        uint32(0) == 0x464c457f and (2 of ($s*)) or
        (3 of ($s*))
}

Miasma_Obfuscated_Payload — Detects large obfuscated JavaScript files characteristic of Miasma

rule Miasma_Obfuscated_Payload {
    meta:
        description = "Detects Miasma obfuscated JavaScript payloads"
        author = "RedSheep Security/Stone"
        date = "2026-06-07"
    strings:
        $magic1 = { 2F 2F 20 4F 62 66 75 73 63 61 74 65 64 }  // "// Obfuscated"
        $magic2 = { 65 76 61 6C 28 }  // "eval("
        $index = "index.js" ascii
        $npm = "node_modules" ascii
    condition:
        filesize > 4MB and
        ($index in (0..100) or $npm) and
        ($magic1 or $magic2 or
         math.entropy(0, filesize) > 7.5)
}

Suricata Rules

SID 2026001 — Detects Miasma C2 communication to fake Anthropic endpoint

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Miasma Worm C2 to Fake Anthropic Endpoint"; flow:established,to_server; content:"POST"; http_method; content:"anthropic.ai"; http_host; content:"/v1/api"; http_uri; content:"application/json"; http_content_type; reference:url,www.wiz.io/blog/miasma-supply-chain-attack-targeting-redhat-npm-packages; classtype:trojan-activity; sid:2026001; rev:1;)

SID 2026002 — Detects GitHub repository creation with Miasma infection markers

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Miasma Worm GitHub Exfiltration Pattern"; flow:established,to_server; content:"POST"; http_method; content:"api.github.com"; http_host; content:"/graphql"; http_uri; content:"createCommitOnBranch"; content:"Miasma|3a 20|The|20|Spreading|20|Blight"; nocase; distance:0; reference:url,research.jfrog.com/post/shai-hulud-miasma-redhat-cloud-services/; classtype:data-exfiltration; sid:2026002; rev:1;)

Data Source Requirements

Sources

• Wiz - Miasma Supply Chain Attack Targeting Red Hat npm Packages
• The Hacker News - Miasma Supply Chain Attack Compromises
• Snyk - Miasma Supply Chain Attack Malicious Code Red Hat Cloud Services npm Packages
• Cybersecurity News - Red Hat Cloud Services npm Packages
• Aikido - Red Hat npm Packages Compromised Credential Stealing Worm
• JFrog Research - Shai-Hulud Miasma Red Hat Cloud Services
• BleepingComputer - Red Hat npm Packages Compromised to Steal Developer Credentials
• Rescana - OpenAI macOS Products Impacted by TanStack Supply Chain Attack
• The CyberSec Guru - Red Hat npm Packages Compromised Miasma Worm
• CISA Alert - Supply Chain Compromises Impact Nx Console and GitHub Repositories