Red Hat npm Miasma Attack 2026: 32 Packages, 117K Weekly Downloads Compromised
On June 1, 2026, one of the most damaging supply chain attacks in open-source history hit an entirely trusted target — not a random npm package, but the official @redhat-cloud-services namespace. A significant supply chain attack on June 1, 2026, targeted over 30 official packages under the @redhat-cloud-services npm scope. The campaign, dubbed "Miasma: The Spreading Blight," is a new variant of the Mini Shai-Hulud malware family — a sophisticated credential-stealing worm previously linked to threat actor group TeamPCP.
In total, 96 versions across 32 packages have been compromised, cumulatively downloaded 116,991 times per week. The malware appears similar to the Mini Shai-Hulud malware that was recently open-sourced by TeamPCP. Since the tooling was made publicly available, other threat actors now have access to the same techniques and can replicate or adapt them.
This is not a typosquatting attack. It is not a rogue lookalike package. It is a compromise of a legitimate, verified Red Hat namespace — the kind of attack that bypasses every standard supply chain defense.
How the Attack Worked: CI/CD Pipeline Takeover
The Initial Access: A Stolen Employee Account
The attack was carried out on June 1, 2026, after a Red Hat employee's GitHub account was compromised. The attacker injected malicious GitHub Actions workflows into three RedHatInsights repositories: frontend-components, javascript-clients, and platform-frontend-ai-toolkit.
Dark web monitoring firm Whiteintel detected a Red Hat GitHub credential and session cookie in infostealer logs on April 13 and May 15, 2026 — raising the possibility that this information may have been used to break into the employee's account.
The attacker had been sitting on stolen credentials for weeks before activating them — a textbook dwell-and-strike pattern consistent with organized supply chain operations.
The Preinstall Hook: Execution Before Application Code
The malware operates via a preinstall lifecycle hook that executes a 4.2 MB obfuscated JavaScript payload during npm install, before any application code runs. The attack occurred in two waves: 10:53 to 10:53:33 UTC and 13:44 to 13:46:47 UTC.
The preinstall hook is the most dangerous delivery mechanism in the npm ecosystem — it fires automatically, silently, before any developer interaction with the package, and with no error messages or visible signs of compromise.
The OIDC Compromise: Why This Bypassed Detection
The packages were published via GitHub Actions OIDC tokens, indicating the CI/CD pipeline was compromised rather than an npm token.
The affected packages were published through GitHub Actions OIDC, which indicates the compromise was linked to the CI/CD pipeline, instead of an npm token. This allowed the attacker to publish packages with valid, trusted provenance signatures — making the backdoored versions indistinguishable from legitimate releases to standard integrity checks.
Table: Miasma Attack Timeline and Scope
| Date | Event |
|---|---|
| April 13, 2026 | Red Hat employee GitHub credentials detected in infostealer logs |
| May 15, 2026 | Second credential detection in infostealer logs |
| June 1, 10:53 UTC | First attack wave — malicious package versions published |
| June 1, 13:44 UTC | Second attack wave — additional packages backdoored |
| June 1 (post) | Aikido, OX Security, JFrog, Microsoft detect compromise |
| June 1 (post) | Red Hat removes affected packages, publishes RHSB-2026-006 |
What Miasma Stole: A Complete Credential Sweep
Each compromised package version contained a comprehensive credential sweep targeting: GitHub Actions tokens, AWS access keys and session tokens, GCP application default credentials and service account keys, Azure service principal credentials and managed identity tokens, HashiCorp Vault tokens, Kubernetes service accounts and kubeconfig files, npm and PyPI publish tokens, SSH private keys, Docker registry credentials, GPG keys, and all .env files.
The malware generates uniquely encrypted payloads per infection, making hash-based IOC detection difficult.
Important: Because the malware includes background execution and potential developer-tool persistence mechanisms, uninstalling the npm package or deleting node_modules should not be considered sufficient cleanup. Full credential rotation is mandatory — removing the package is not.
Self-Propagation: The Worm Mechanism
The malware republishes packages owned by the compromised maintainer using forged provenance metadata, effectively allowing the threat to spread like a worm across trusted package ecosystems. On developer systems, the malware stole SSH keys, CLI credentials, and browser data, while in CI/CD environments it scraped GitHub Actions runner memory for secrets and republished poisoned packages with forged SLSA provenance to continue downstream propagation.
Table: Miasma Credential Targets vs Standard Detection
| Credential Type | Storage Location | Hash-Based Detection? |
|---|---|---|
| GitHub Actions tokens | Runner environment vars | No — encrypted per infection |
| AWS access keys | ~/.aws/credentials | No — encrypted per infection |
| Kubernetes service accounts | ~/.kube/config | No — encrypted per infection |
| SSH private keys | ~/.ssh/ | No — encrypted per infection |
| npm/PyPI tokens | ~/.npmrc, pip.conf | No — encrypted per infection |
| .env files | Project directories | No — encrypted per infection |
Immediate Response: What Every Affected Team Must Do
If you have installed any affected package versions since June 1, 2026, treat all CI secrets, cloud credentials, SSH keys, and npm tokens as compromised and rotate them immediately.
Isolate affected machines before revoking any tokens to avoid triggering the Miasma dead-man switch. Run npm uninstall on all affected packages and regenerate lockfiles from trusted metadata. Use npm ci --ignore-scripts in CI pipelines as a temporary safeguard. Remove kitty-monitor and gh-token-monitor persistence files from all affected machines before revoking tokens.
Pro Tip: For CI/CD systems, suspend affected workflow runs, invalidate build artifacts produced during the exposure window, and review whether any release, container image, npm package, or deployment artifact was created after the malicious package was installed.
Key Takeaways
- Rotate all credentials immediately if any
@redhat-cloud-servicespackage was installed on or after June 1, 2026 — GitHub tokens, cloud credentials, SSH keys, and CI/CD secrets - Do not rely on npm uninstall — Miasma has persistence mechanisms that survive package removal; full system investigation is required
- Isolate machines before revoking tokens — Miasma contains a dead-man switch that may trigger on token revocation if the machine is still active
- Use
npm ci --ignore-scriptspermanently in CI/CD pipelines — this blocks the preinstall hook delivery mechanism that Miasma uses - Monitor GitHub OIDC publish events — this attack bypassed npm token controls entirely by compromising the CI/CD pipeline's OIDC identity
- Treat dark web credential monitoring as a detection layer — Whiteintel spotted the stolen credentials 6 weeks before the attack triggered
Conclusion
The Red Hat Miasma attack is the clearest possible demonstration that namespace trust is not security. Every developer who installed a @redhat-cloud-services package through a CI/CD pipeline on June 1, 2026, should assume full credential compromise regardless of which specific package version they used. The preinstall hook fires before any code runs, the payload generates unique encryption per infection to evade hash detection, and the worm actively spreads to other packages the maintainer controls. Implement --ignore-scripts in all CI/CD npm install commands. Rotate every secret. Investigate every artifact produced during the exposure window. This is not a precaution — it is a confirmed compromise response.
Frequently Asked Questions
Q: What is the Miasma attack and which packages were affected?
A: Miasma is a credential-stealing worm that compromised 96 versions across 32 official npm packages under Red Hat's @redhat-cloud-services namespace on June 1, 2026. It is a variant of the Mini Shai-Hulud malware previously linked to TeamPCP, and collectively the affected packages receive approximately 117,000 weekly downloads. The attack was carried out by compromising a Red Hat employee's GitHub account and injecting malicious workflows into Red Hat CI/CD pipelines.
Q: How does Miasma execute without being detected?
A: Miasma uses a preinstall lifecycle hook in package.json that fires automatically during every npm install — before any application code runs and without any visible error or warning. The 4.2 MB payload is heavily obfuscated and generates a uniquely encrypted version per infection, making hash-based detection ineffective against it.
Q: What credentials does Miasma steal?
A: Miasma performs a comprehensive sweep targeting GitHub Actions tokens, AWS/GCP/Azure credentials, HashiCorp Vault tokens, Kubernetes service account tokens, npm and PyPI publish tokens, SSH private keys, Docker registry credentials, GPG keys, and all .env files found in the compromised environment.
Q: Is removing the compromised npm package sufficient cleanup? A: No. Miasma includes background execution mechanisms and developer-tool persistence components that survive package uninstallation and node_modules deletion. Full remediation requires machine isolation, complete credential rotation across all secret types, removal of specific persistence files (kitty-monitor, gh-token-monitor), and audit of all build artifacts produced during the exposure window.
Q: How can organizations prevent this class of attack?
A: Run npm ci --ignore-scripts in all CI/CD pipelines to block preinstall hook execution. Implement OIDC publish token monitoring to detect unauthorized package publishing via CI/CD identity. Maintain SBOM inventories for all npm dependencies. Subscribe to dark web credential monitoring — Whiteintel detected stolen Red Hat credentials six weeks before the attack activated.
Enjoyed this article?
Subscribe for more cybersecurity insights.