In a significant cybersecurity incident on June 1, 2026, over 30 npm packages under the @redhat-cloud-services namespace were compromised. This attack, identified as “Miasma: The Spreading Blight,” is a newly developed variant of the Mini Shai-Hulud malware, historically linked to the threat actor group TeamPCP.
The assault was not a case of typosquatting. Instead, attackers managed to seize control of a legitimate npm namespace, inserting backdoored versions of frequently used frontend components, API clients, and developer tools. This breach highlights vulnerabilities in trusted software distribution channels.
Methodology of the Attack
Detection by Aikido and JFrog revealed that the malicious packages were disseminated using compromised GitHub Actions OIDC tokens, indicating a breach in the CI/CD pipeline rather than individual developer accounts. This method allowed the attackers to embed a preinstall lifecycle hook within each package’s json scripts.
The hook executed a 4.2 MB obfuscated payload during the npm install process, using a multi-stage decryption strategy to avoid static detection. This payload was capable of evading security measures and deploying a transient Bun-based program, targeting cloud credentials and infrastructure secrets.
Impact on Cloud Environments
Once deployed, the malware aggressively harvested credentials, targeting GitHub tokens, cloud access keys, infrastructure secrets, and developer tools. It could even query cloud services like AWS Secrets Manager when permissions allowed, bypassing traditional security measures.
A sophisticated evasion tactic involved disguising data exfiltration traffic as legitimate Anthropic service requests. The malware also employed a GitHub dead-drop model, using victim accounts to create repositories where stolen credentials were committed as JSON files.
Response and Mitigation
Organizations impacted by this breach are advised to uninstall affected npm packages and regenerate lockfiles using verified metadata. Temporary measures include using npm ci –ignore-scripts in CI pipelines to prevent script execution.
To mitigate the threat, removing persistent files such as kitty-monitor and gh-token-monitor is crucial before revoking any credentials. Auditing npm and GitHub accounts for unauthorized activities and rotating exposed credentials are essential steps in securing affected systems.
This incident underscores the importance of robust security practices in software supply chains, emphasizing the need for continuous monitoring and proactive threat detection.
