Date Observed: June 1, 2026
Ecosystem: npm (@redhat-cloud-services)
Targets: CI/CD pipelines and developer workstations consuming @redhat-cloud-services packages
Attack Type: CI/CD pipeline compromise; preinstall hook injection; multi-stage credential theft; worm propagation
Impact: At least 32 @redhat-cloud-services packages / 96 malicious versions were backdoored; multi-cloud credential theft (GitHub Actions, AWS, GCP, Azure, Kubernetes, HashiCorp Vault, CircleCI); downstream propagation capability; ~80,000 cumulative weekly downloads affected
Key Takeaways
- At least 32 @redhat-cloud-services npm packages / 96 malicious versions were backdoored via a compromised GitHub Actions OIDC pipeline on June 1, 2026.
- Each compromised package executed a 4.2 MB obfuscated payload at install time via a preinstall hook, before any application code runs.
- Targets include GitHub Actions secrets, npm tokens, AWS, GCP, Azure, Kubernetes, HashiCorp Vault, CircleCI tokens, SSH keys, and Git credentials.
- The malware is derived from TeamPCP’s Mini Shai-Hulud tooling and adds new GCP and Azure cloud identity collectors, extending the capability from credential theft to live identity enumeration.
- Most malicious versions were revoked by June 1, 1PM UTC. Any environment that ran npm install from this scope before that window should be treated as compromised.
On June 1, 2026, researchers from Wiz, Socket, and StepSecurity identified a coordinated supply chain compromise across at least 32 package / 96 malicious versions in the @redhat-cloud-services npm namespace. The attacker abused the GitHub Actions OIDC publishing path in the RedHatInsights/javascript-clients repository and used it to publish backdoored versions under a trusted publisher identity.
Researchers named this variant “Miasma: The Spreading Blight.” The payload appears to be derived from the Mini Shai-Hulud malware family previously linked to TeamPCP. Because the underlying tooling was made public earlier in 2026, other actors can now reuse the same tradecraft against new targets. Attribution to TeamPCP specifically remains unconfirmed.
Compromising the GitHub Actions OIDC configuration granted the attacker the ability to publish to the @redhat-cloud-services npm namespace under a legitimate publisher identity, without needing to steal any individual maintainer credentials. Unlike earlier TeamPCP campaigns that pivoted from one developer’s machine to hijack downstream publish tokens, this entry point required only a single pipeline compromise to backdoor more than 30 packages simultaneously.
Scope and Impact of the Attack
The compromise spans at least 32 packages and 96 malicious versions across the @redhat-cloud-services scope, covering frontend components, API client libraries, configuration utilities, and MCP packages. These packages collectively average approximately 80,000 weekly downloads, according to Wiz.
The entry point was the GitHub Actions OIDC pipeline in the RedHatInsights/javascript-clients repository. Backdoored versions were published via a trusted publisher identity, making them indistinguishable from legitimate releases to dependency scanners and namespace verification controls.
Most malicious versions were revoked by 1PM UTC on June 1. The interval between publication and revocation is the confirmed exposure window.
How the Attack Works
Stage 1: Preinstall Hook Execution
Each compromised package declared:
“scripts”: {
“preinstall”: “node index.js”
}
This fires index.js during npm install, before any application code runs. The file is 4.2 MB; an anomaly for a library package and contains no legitimate library functionality.
Stage 2: Multi-Layer Obfuscation
The 4.2 MB payload conceals itself behind multiple stacked layers of obfuscation to defeat static analysis. Those layers ultimately decrypt a Bun helper and the main payload, which then uses eval and runtime decryption.
Stage 3: Credential Harvesting
The decoded payload targets GitHub Actions secrets, GITHUB_TOKEN, npm publish tokens, AWS credentials, GCP and Azure credentials, Kubernetes kubeconfig and service account tokens, HashiCorp Vault tokens, CircleCI tokens, SSH keys, and Git credentials. The Miasma variant introduces new collectors that enumerate all GCP and Azure identities the infected machine can access, not just stored secrets. This escalates the capability from credential extraction to live cloud identity hijacking, giving the attacker direct, authenticated access to cloud resources rather than raw credentials to deploy separately.
Stage 4: Exfiltration and Propagation
Stolen material is exfiltrated via encrypted outbound requests to attacker-controlled infrastructure. A GitHub-based fallback routes traffic through api.github.com, blending malicious exfiltration with legitimate CI/CD API calls to evade domain-based blocking. Using stolen npm publish tokens, the payload has the capability to backdoor additional downstream packages; the same worm propagation mechanism documented in earlier Shai-Hulud campaigns. Attacker-created repositories carry the description “Miasma: The Spreading Blight” as an indicator of compromise.
Persistence on the machine: The script drops files into VS Code’s settings folder and Claude Code’s settings folder. The malware writes persistence hooks into IDE configuration files, so it can re-run when the IDE opens, even after the package is removed.
Why This Matters to DevOps and DevSecOps Teams
This attack bypassed standard controls. The packages came from an official vendor namespace, published via a legitimate OIDC pipeline. Namespace trust, package signing checks, and standard dependency audits provide no protection against a compromised upstream publisher.
The preinstall hook fires before any import or application-level code. Audits that run post-install have already allowed the payload to execute. In a typical GitHub Actions runner, secrets referenced via ${{ secrets.* }}, cloud credentials from OIDC federation, and npm tokens are all available in the process environment at install time; exactly what Miasma targets.
The cloud identity enumeration introduced in Miasma raises the risk profile beyond prior variants. Live identity access provides authenticated sessions into compute, storage, and data plane resources from the moment of infection. Teams that ran builds from the @redhat-cloud-services scope during the exposure window should rotate all credentials immediately and audit GitHub Actions logs for unexpected repository creation or workflow runs. The same install-time execution risk was demonstrated in the Bitwarden CLI npm compromise earlier in 2026. Install-time execution in a trusted package remains one of the most direct paths to CI/CD secrets.
How InvisiRisk Protects Against This Attack
Unauthorized API Action Enforcement: This attack specifically targeted publishing and source-control credentials. If malware running in a build attempts package publication, repository creation, or other write operations outside expected job behavior, BAF can block those outbound API actions.
Stability Buffer: InvisiRisk’s BAF Stability Buffer blocks newly published packages from entering protected builds during a configurable time window (default 48 hours). All confirmed compromised versions were published on June 1. A stability buffer would have halted every version before any pipeline could install them, stopping the attack at package ingestion, not at the point of exfiltration.
Why Build-Time Defenses Matter
Trusted namespaces are now a primary attack surface. A single compromised CI/CD publishing pipeline can backdoor an entire vendor package scope within hours. Build-time enforcement, controlling what executes at install and what communicates outbound, is the only layer that operates at the right point in the pipeline.
