Miasma: The Spreading Blight
Distinct npm supply-chain campaign in the Shai-Hulud worm lineage, derived from / a variant of Mini Shai-Hulud. The @redhat-cloud-services incident (June 1, 2026) abused npm GitHub Actions trusted publishing, which binds trust to repository plus workflow filename rather than branch/ref/environment, to publish 64 malicious versions across 32 packages with valid SLSA provenance. NOTE: the campaign-identifier string "Miasma: The Spreading Blight" was NOT recovered in plaintext from any decoded artifact (it would live in the uncracked inner globalThis["f4abccab2"] PBKDF2+S-box layer); the name is tracked per maintainer request but is LOW CONFIDENCE / not directly observed in static analysis. Initial-access vector for the oidc-<hex> branch pushes remains UNCONFIRMED.
discovered 2026-06-01
Objective
Steal developer, cloud, registry, and application credentials through malicious package execution and self-propagate via stolen tokens and trusted-publishing abuse.
Related campaigns
Packages
- npm@redhat-cloud-services/compliance-clientattributed-to
- npm@redhat-cloud-services/config-manager-clientattributed-to
- npm@redhat-cloud-services/entitlements-clientattributed-to
- npm@redhat-cloud-services/host-inventory-clientattributed-to
- npm@redhat-cloud-services/insights-clientattributed-to
- npm@redhat-cloud-services/integrations-clientattributed-to
- npm@redhat-cloud-services/notifications-clientattributed-to
- npm@redhat-cloud-services/patch-clientattributed-to
- npm@redhat-cloud-services/quickstarts-clientattributed-to
- npm@redhat-cloud-services/rbac-clientattributed-to
- npm@redhat-cloud-services/remediations-clientattributed-to
- npm@redhat-cloud-services/javascript-clients-sharedattributed-to
- npm@redhat-cloud-services/sources-clientattributed-to
- npm@redhat-cloud-services/topological-inventory-clientattributed-to
- npm@redhat-cloud-services/vulnerabilities-clientattributed-to
- npm@redhat-cloud-services/chromeattributed-to
- npm@redhat-cloud-services/eslint-config-redhat-cloud-servicesattributed-to
- npm@redhat-cloud-services/frontend-componentsattributed-to
- npm@redhat-cloud-services/frontend-components-advisor-componentsattributed-to
- npm@redhat-cloud-services/frontend-components-configattributed-to
- npm@redhat-cloud-services/frontend-components-config-utilitiesattributed-to
- npm@redhat-cloud-services/frontend-components-notificationsattributed-to
- npm@redhat-cloud-services/frontend-components-remediationsattributed-to
- npm@redhat-cloud-services/frontend-components-testingattributed-to
- npm@redhat-cloud-services/frontend-components-translationsattributed-to
- npm@redhat-cloud-services/frontend-components-utilitiesattributed-to
- npm@redhat-cloud-services/rule-componentsattributed-to
- npm@redhat-cloud-services/tsc-transform-importsattributed-to
- npm@redhat-cloud-services/typesattributed-to
- npm@redhat-cloud-services/hcc-feo-mcpattributed-to
- npm@redhat-cloud-services/hcc-kessel-mcpattributed-to
- npm@redhat-cloud-services/hcc-pf-mcpattributed-to
Indicators
- sha256031ba872d5a84bfb18115f432811e4b45180346a1bae653f7fd85f918e7bb3a3indicates
- sha256df1732f5bfec12e066be44dee02ec8a243e4868d38672c1b1d065359dd735a14indicates
- sha2560dc06ecdaa63fe24859cfd955053c23245c536e4733480239d14bebf12688e35indicates
- urlhttps://registry.npmjs.org/-/npm/v1/oidc/token/exchange/package/communicates-with
- urlhttps://github.com/oven-sh/bun/releases/download/bun-v1.3.13/communicates-with
- ipv4169.254.169.254communicates-with
- ipv4169.254.170.2communicates-with
- file_path/var/run/secrets/kubernetes.io/serviceaccount/tokenindicates
- file_path/var/run/docker.sockindicates
- file_path/tmp/p<random>.jsindicates
- file_path/tmp/b-<random>/bunindicates
- file_path/tmp/kitty-<random>indicates
- domainlogin.microsoftonline.comcommunicates-with
- domaingraph.microsoft.comcommunicates-with
- email[email protected]indicates
- email[email protected]indicates
- github_repoRedHatInsights/javascript-clientsexfiltrates-to
- github_repoRedHatInsights/frontend-componentsexfiltrates-to
- github_repoRedHatInsights/platform-frontend-ai-toolkitexfiltrates-to
Techniques
- ttpT1195.001 Supply Chain Compromise: Compromise Software Dependencies and Development Toolsuses
- ttpT1199 Trusted Relationshipuses
- ttpT1059.007 Command and Scripting Interpreter: JavaScriptuses
- ttpT1027 Obfuscated Files or Informationuses
- ttpT1140 Deobfuscate/Decode Files or Informationuses
- ttpT1105 Ingress Tool Transferuses
- ttpT1552.001 Unsecured Credentials: Credentials In Filesuses
- ttpT1552.005 Unsecured Credentials: Cloud Instance Metadata APIuses
- ttpT1528 Steal Application Access Tokenuses
- ttpT1606.002 Forge Web Credentials: SAML Tokensuses
- ttpT1041 Exfiltration Over C2 Channeluses
- ttpT1567.001 Exfiltration to Code Repositoryuses
- ttpT1098 Account Manipulationuses
- ttpT1610 Deploy Containeruses
- ttpT1546 Event Triggered Executionuses
- ttpT1480.001 Execution Guardrails: Environmental Keyinguses
- ttpT1518.001 Software Discovery: Security Software Discoveryuses
- ttpSelf-Propagation via Trusted Publishing Wormuses
- ttpSpoofed User-Agent on GitHub APIuses
