{"campaign":{"name":"Miasma: The Spreading Blight","slug":"miasma-the-spreading-blight","href":"/ti/campaigns/miasma-the-spreading-blight","description":"Distinct npm supply-chain campaign in the Shai-Hulud worm lineage, derived from / a variant of Mini Shai-Hulud. The @redhat-cloud-services incident (June 1, 2026) abused npm GitHub Actions trusted publishing, which binds trust to repository plus workflow filename rather than branch/ref/environment, to publish 64 malicious versions across 32 packages with valid SLSA provenance. NOTE: the campaign-identifier string \"Miasma: The Spreading Blight\" was NOT recovered in plaintext from any decoded artifact (it would live in the uncracked inner globalThis[\"f4abccab2\"] PBKDF2+S-box layer); the name is tracked per maintainer request but is LOW CONFIDENCE / not directly observed in static analysis. Initial-access vector for the oidc-<hex> branch pushes remains UNCONFIRMED.","objective":"Steal developer, cloud, registry, and application credentials through malicious package execution and self-propagate via stolen tokens and trusted-publishing abuse.","aliases":[],"discovered_at":"2026-06-01"},"packages":[{"ecosystem":"npm","name":"@redhat-cloud-services/compliance-client","href":"/ti/packages/npm/@redhat-cloud-services/compliance-client","threat_types":["worm","credential_stealer","data_exfiltration","persistence"],"versions":["4.0.3","4.0.4"]},{"ecosystem":"npm","name":"@redhat-cloud-services/config-manager-client","href":"/ti/packages/npm/@redhat-cloud-services/config-manager-client","threat_types":["worm","credential_stealer","data_exfiltration","persistence"],"versions":["5.0.4","5.0.5"]},{"ecosystem":"npm","name":"@redhat-cloud-services/entitlements-client","href":"/ti/packages/npm/@redhat-cloud-services/entitlements-client","threat_types":["worm","credential_stealer","data_exfiltration","persistence"],"versions":["4.0.11","4.0.12"]},{"ecosystem":"npm","name":"@redhat-cloud-services/host-inventory-client","href":"/ti/packages/npm/@redhat-cloud-services/host-inventory-client","threat_types":["worm","credential_stealer","data_exfiltration","persistence"],"versions":["5.0.3","5.0.4"]},{"ecosystem":"npm","name":"@redhat-cloud-services/insights-client","href":"/ti/packages/npm/@redhat-cloud-services/insights-client","threat_types":["worm","credential_stealer","data_exfiltration","persistence"],"versions":["4.0.4","4.0.5"]},{"ecosystem":"npm","name":"@redhat-cloud-services/integrations-client","href":"/ti/packages/npm/@redhat-cloud-services/integrations-client","threat_types":["worm","credential_stealer","data_exfiltration","persistence"],"versions":["6.0.4","6.0.5"]},{"ecosystem":"npm","name":"@redhat-cloud-services/notifications-client","href":"/ti/packages/npm/@redhat-cloud-services/notifications-client","threat_types":["worm","credential_stealer","data_exfiltration","persistence"],"versions":["6.1.4","6.1.5"]},{"ecosystem":"npm","name":"@redhat-cloud-services/patch-client","href":"/ti/packages/npm/@redhat-cloud-services/patch-client","threat_types":["worm","credential_stealer","data_exfiltration","persistence"],"versions":["4.0.4","4.0.5"]},{"ecosystem":"npm","name":"@redhat-cloud-services/quickstarts-client","href":"/ti/packages/npm/@redhat-cloud-services/quickstarts-client","threat_types":["worm","credential_stealer","data_exfiltration","persistence"],"versions":["4.0.11","4.0.12"]},{"ecosystem":"npm","name":"@redhat-cloud-services/rbac-client","href":"/ti/packages/npm/@redhat-cloud-services/rbac-client","threat_types":["worm","credential_stealer","data_exfiltration","persistence"],"versions":["9.0.3","9.0.4"]},{"ecosystem":"npm","name":"@redhat-cloud-services/remediations-client","href":"/ti/packages/npm/@redhat-cloud-services/remediations-client","threat_types":["worm","credential_stealer","data_exfiltration","persistence"],"versions":["4.0.4","4.0.5"]},{"ecosystem":"npm","name":"@redhat-cloud-services/javascript-clients-shared","href":"/ti/packages/npm/@redhat-cloud-services/javascript-clients-shared","threat_types":["worm","credential_stealer","data_exfiltration","persistence"],"versions":["2.0.8","2.0.9"]},{"ecosystem":"npm","name":"@redhat-cloud-services/sources-client","href":"/ti/packages/npm/@redhat-cloud-services/sources-client","threat_types":["worm","credential_stealer","data_exfiltration","persistence"],"versions":["3.0.10","3.0.11"]},{"ecosystem":"npm","name":"@redhat-cloud-services/topological-inventory-client","href":"/ti/packages/npm/@redhat-cloud-services/topological-inventory-client","threat_types":["worm","credential_stealer","data_exfiltration","persistence"],"versions":["3.0.10","3.0.11"]},{"ecosystem":"npm","name":"@redhat-cloud-services/vulnerabilities-client","href":"/ti/packages/npm/@redhat-cloud-services/vulnerabilities-client","threat_types":["worm","credential_stealer","data_exfiltration","persistence"],"versions":["2.1.8","2.1.9"]},{"ecosystem":"npm","name":"@redhat-cloud-services/chrome","href":"/ti/packages/npm/@redhat-cloud-services/chrome","threat_types":["worm","credential_stealer","data_exfiltration","persistence"],"versions":["2.3.1","2.3.2"]},{"ecosystem":"npm","name":"@redhat-cloud-services/eslint-config-redhat-cloud-services","href":"/ti/packages/npm/@redhat-cloud-services/eslint-config-redhat-cloud-services","threat_types":["worm","credential_stealer","data_exfiltration","persistence"],"versions":["3.2.1","3.2.2"]},{"ecosystem":"npm","name":"@redhat-cloud-services/frontend-components","href":"/ti/packages/npm/@redhat-cloud-services/frontend-components","threat_types":["worm","credential_stealer","data_exfiltration","persistence"],"versions":["7.7.2","7.7.3"]},{"ecosystem":"npm","name":"@redhat-cloud-services/frontend-components-advisor-components","href":"/ti/packages/npm/@redhat-cloud-services/frontend-components-advisor-components","threat_types":["worm","credential_stealer","data_exfiltration","persistence"],"versions":["3.8.2","3.8.4"]},{"ecosystem":"npm","name":"@redhat-cloud-services/frontend-components-config","href":"/ti/packages/npm/@redhat-cloud-services/frontend-components-config","threat_types":["worm","credential_stealer","data_exfiltration","persistence"],"versions":["6.11.3","6.11.4"]},{"ecosystem":"npm","name":"@redhat-cloud-services/frontend-components-config-utilities","href":"/ti/packages/npm/@redhat-cloud-services/frontend-components-config-utilities","threat_types":["worm","credential_stealer","data_exfiltration","persistence"],"versions":["4.11.2","4.11.3"]},{"ecosystem":"npm","name":"@redhat-cloud-services/frontend-components-notifications","href":"/ti/packages/npm/@redhat-cloud-services/frontend-components-notifications","threat_types":["worm","credential_stealer","data_exfiltration","persistence"],"versions":["6.9.2","6.9.3"]},{"ecosystem":"npm","name":"@redhat-cloud-services/frontend-components-remediations","href":"/ti/packages/npm/@redhat-cloud-services/frontend-components-remediations","threat_types":["worm","credential_stealer","data_exfiltration","persistence"],"versions":["4.9.2","4.9.3"]},{"ecosystem":"npm","name":"@redhat-cloud-services/frontend-components-testing","href":"/ti/packages/npm/@redhat-cloud-services/frontend-components-testing","threat_types":["worm","credential_stealer","data_exfiltration","persistence"],"versions":["1.2.1","1.2.2"]},{"ecosystem":"npm","name":"@redhat-cloud-services/frontend-components-translations","href":"/ti/packages/npm/@redhat-cloud-services/frontend-components-translations","threat_types":["worm","credential_stealer","data_exfiltration","persistence"],"versions":["4.4.1","4.4.2"]},{"ecosystem":"npm","name":"@redhat-cloud-services/frontend-components-utilities","href":"/ti/packages/npm/@redhat-cloud-services/frontend-components-utilities","threat_types":["worm","credential_stealer","data_exfiltration","persistence"],"versions":["7.4.1","7.4.2"]},{"ecosystem":"npm","name":"@redhat-cloud-services/rule-components","href":"/ti/packages/npm/@redhat-cloud-services/rule-components","threat_types":["worm","credential_stealer","data_exfiltration","persistence"],"versions":["4.7.2","4.7.3"]},{"ecosystem":"npm","name":"@redhat-cloud-services/tsc-transform-imports","href":"/ti/packages/npm/@redhat-cloud-services/tsc-transform-imports","threat_types":["worm","credential_stealer","data_exfiltration","persistence"],"versions":["1.2.2","1.2.4"]},{"ecosystem":"npm","name":"@redhat-cloud-services/types","href":"/ti/packages/npm/@redhat-cloud-services/types","threat_types":["worm","credential_stealer","data_exfiltration","persistence"],"versions":["3.6.1","3.6.2"]},{"ecosystem":"npm","name":"@redhat-cloud-services/hcc-feo-mcp","href":"/ti/packages/npm/@redhat-cloud-services/hcc-feo-mcp","threat_types":["worm","credential_stealer","data_exfiltration","persistence"],"versions":["0.3.1","0.3.2"]},{"ecosystem":"npm","name":"@redhat-cloud-services/hcc-kessel-mcp","href":"/ti/packages/npm/@redhat-cloud-services/hcc-kessel-mcp","threat_types":["worm","credential_stealer","data_exfiltration","persistence"],"versions":["0.3.1","0.3.2"]},{"ecosystem":"npm","name":"@redhat-cloud-services/hcc-pf-mcp","href":"/ti/packages/npm/@redhat-cloud-services/hcc-pf-mcp","threat_types":["worm","credential_stealer","data_exfiltration","persistence"],"versions":["0.6.1","0.6.2"]}],"indicators":[{"kind":"sha256","value":"031ba872d5a84bfb18115f432811e4b45180346a1bae653f7fd85f918e7bb3a3","href":"/ti/ioc/sha256/031ba872d5a84bfb18115f432811e4b45180346a1bae653f7fd85f918e7bb3a3","context":"patch-client@4.0.4 malicious tarball SHA256"},{"kind":"sha256","value":"df1732f5bfec12e066be44dee02ec8a243e4868d38672c1b1d065359dd735a14","href":"/ti/ioc/sha256/df1732f5bfec12e066be44dee02ec8a243e4868d38672c1b1d065359dd735a14","context":"index.js dropper SHA256 (ROT-9 + AES-128-GCM loader)"},{"kind":"sha256","value":"0dc06ecdaa63fe24859cfd955053c23245c536e4733480239d14bebf12688e35","href":"/ti/ioc/sha256/0dc06ecdaa63fe24859cfd955053c23245c536e4733480239d14bebf12688e35","context":"decrypted Bun worm payload SHA256"},{"kind":"url","value":"https://registry.npmjs.org/-/npm/v1/oidc/token/exchange/package/","href":"/ti/ioc/url/url-6e07621b67f6","context":"npm OIDC-to-publish-token exchange endpoint abused for self-propagation"},{"kind":"url","value":"https://github.com/oven-sh/bun/releases/download/bun-v1.3.13/","href":"/ti/ioc/url/url-64f182498063","context":"Bun 1.3.13 runtime download (legitimate URL abused to execute payload)"},{"kind":"ipv4","value":"169.254.169.254","href":"/ti/ioc/ipv4/169.254.169.254","context":"AWS IMDS endpoint queried for cloud credentials"},{"kind":"ipv4","value":"169.254.170.2","href":"/ti/ioc/ipv4/169.254.170.2","context":"AWS ECS task metadata endpoint queried for credentials"},{"kind":"file_path","value":"/var/run/secrets/kubernetes.io/serviceaccount/token","href":"/ti/ioc/file_path/file_path-ca72b599811b","context":"Kubernetes service account token harvested"},{"kind":"file_path","value":"/var/run/docker.sock","href":"/ti/ioc/file_path/file_path-71329c4cc6e3","context":"Docker socket abused for container escape"},{"kind":"file_path","value":"/tmp/p<random>.js","href":"/ti/ioc/file_path/file_path-689667fb8c5f","context":"runtime dropper artifact (decoded loader)"},{"kind":"file_path","value":"/tmp/b-<random>/bun","href":"/ti/ioc/file_path/file_path-59b338a3cd5c","context":"runtime artifact (downloaded Bun runtime)"},{"kind":"file_path","value":"/tmp/kitty-<random>","href":"/ti/ioc/file_path/file_path-3f0c1ce3224a","context":"runtime worm artifact"},{"kind":"domain","value":"login.microsoftonline.com","href":"/ti/ioc/domain/login.microsoftonline.com","context":"Azure managed identity / token endpoint queried"},{"kind":"domain","value":"graph.microsoft.com","href":"/ti/ioc/domain/graph.microsoft.com","context":"Azure Graph API queried for identity data"},{"kind":"email","value":"justinorringer@gmail.com","href":"/ti/ioc/email/justinorringer@gmail.com","context":"spoofed/unconfirmed git author on malicious commits (Justin Orringer)"},{"kind":"email","value":"claude@users.noreply.github.com","href":"/ti/ioc/email/claude@users.noreply.github.com","context":"Spoofed git commit author identity used to plant the binary dropper and blend with AI-assistant automation. Also seen across the Shai-Hulud / Mini Shai-Hulud worm family."},{"kind":"github_repo","value":"RedHatInsights/javascript-clients","href":"/ti/ioc/github_repo/github_repo-1bc3b2894993","context":"compromised repo; workflow ci.yml; branches oidc-4d5900f3, oidc-6523a11b; 15 packages"},{"kind":"github_repo","value":"RedHatInsights/frontend-components","href":"/ti/ioc/github_repo/github_repo-9d459b8f2e91","context":"compromised repo; workflow ci.yaml; branches oidc-61fff775, oidc-af10000d; 14 packages"},{"kind":"github_repo","value":"RedHatInsights/platform-frontend-ai-toolkit","href":"/ti/ioc/github_repo/github_repo-f8474b5474b9","context":"compromised repo; workflow release.yml; branches oidc-2530ec68, oidc-93b9a955; 3 packages"}],"ttps":[{"name":"Supply Chain Compromise: Compromise Software Dependencies and Development Tools","mitre_attack_id":"T1195.001","href":"/ti/ttps/T1195.001"},{"name":"Trusted Relationship","mitre_attack_id":"T1199","href":"/ti/ttps/T1199"},{"name":"Command and Scripting Interpreter: JavaScript","mitre_attack_id":"T1059.007","href":"/ti/ttps/T1059.007"},{"name":"Obfuscated Files or Information","mitre_attack_id":"T1027","href":"/ti/ttps/T1027"},{"name":"Deobfuscate/Decode Files or Information","mitre_attack_id":"T1140","href":"/ti/ttps/T1140"},{"name":"Ingress Tool Transfer","mitre_attack_id":"T1105","href":"/ti/ttps/T1105"},{"name":"Unsecured Credentials: Credentials In Files","mitre_attack_id":"T1552.001","href":"/ti/ttps/T1552.001"},{"name":"Unsecured Credentials: Cloud Instance Metadata API","mitre_attack_id":"T1552.005","href":"/ti/ttps/T1552.005"},{"name":"Steal Application Access Token","mitre_attack_id":"T1528","href":"/ti/ttps/T1528"},{"name":"Forge Web Credentials: SAML Tokens","mitre_attack_id":"T1606.002","href":"/ti/ttps/T1606.002"},{"name":"Exfiltration Over C2 Channel","mitre_attack_id":"T1041","href":"/ti/ttps/T1041"},{"name":"Exfiltration to Code Repository","mitre_attack_id":"T1567.001","href":"/ti/ttps/T1567.001"},{"name":"Account Manipulation","mitre_attack_id":"T1098","href":"/ti/ttps/T1098"},{"name":"Deploy Container","mitre_attack_id":"T1610","href":"/ti/ttps/T1610"},{"name":"Event Triggered Execution","mitre_attack_id":"T1546","href":"/ti/ttps/T1546"},{"name":"Execution Guardrails: Environmental Keying","mitre_attack_id":"T1480.001","href":"/ti/ttps/T1480.001"},{"name":"Software Discovery: Security Software Discovery","mitre_attack_id":"T1518.001","href":"/ti/ttps/T1518.001"},{"name":"Self-Propagation via Trusted Publishing Worm","href":"/ti/ttps/self-propagation-via-trusted-publishing-worm"},{"name":"Spoofed User-Agent on GitHub API","href":"/ti/ttps/spoofed-user-agent-on-github-api"}],"related_campaigns":[{"name":"Mini Shai-Hulud","slug":"mini-shai-hulud","href":"/ti/campaigns/mini-shai-hulud","relationship":"variant-of"}],"reports":[{"title":"Miasma: The Spreading Blight (Mini Shai-Hulud lineage) Hits @redhat-cloud-services: Multiple Packages at Risk","url":"https://safedep.io/redhat-cloud-services-hit-by-mini-shai-hulud-npm-worm","published_at":"2026-06-01"}]}