@redhat-cloud-services/patch-client
@redhat-cloud-services/patch-client is one of 32 @redhat-cloud-services scope packages compromised on June 1, 2026 in the Miasma: The Spreading Blight campaign (a variant of / derived from Mini Shai-Hulud). The attacker abused npm GitHub Actions trusted publishing by pushing short-lived oidc-<hex> branches that rewrote the trusted CI workflow into a self-publishing job, exchanged the OIDC token for npm publish tokens, repackaged the legitimate tarball with a malicious preinstall hook, and republished with valid SLSA provenance. Published in two waves ~3h apart; wave 1 (4.0.4) was later unpublished, wave 2 (4.0.5) is the live latest.
discovered 2026-06-01
Threat types
wormcredential_stealerdata_exfiltrationpersistence
Malicious versions
- 4.0.4 · 031ba872d5a84bfb…
- 4.0.5
Campaigns
Indicators
- sha256031ba872d5a84bfb18115f432811e4b45180346a1bae653f7fd85f918e7bb3a3indicates
- sha256df1732f5bfec12e066be44dee02ec8a243e4868d38672c1b1d065359dd735a14indicates
- sha2560dc06ecdaa63fe24859cfd955053c23245c536e4733480239d14bebf12688e35indicates
- urlhttps://registry.npmjs.org/-/npm/v1/oidc/token/exchange/package/communicates-with
- urlhttps://github.com/oven-sh/bun/releases/download/bun-v1.3.13/communicates-with
- ipv4169.254.169.254communicates-with
- ipv4169.254.170.2communicates-with
- file_path/var/run/secrets/kubernetes.io/serviceaccount/tokenindicates
- file_path/var/run/docker.sockindicates
- file_path/tmp/p<random>.jsindicates
- file_path/tmp/b-<random>/bunindicates
- file_path/tmp/kitty-<random>indicates
- domainlogin.microsoftonline.comcommunicates-with
- domaingraph.microsoft.comcommunicates-with
- email[email protected]indicates
- email[email protected]indicates
- github_repoRedHatInsights/javascript-clientsexfiltrates-to
- github_repoRedHatInsights/frontend-componentsexfiltrates-to
- github_repoRedHatInsights/platform-frontend-ai-toolkitexfiltrates-to
Techniques
- ttpT1195.001 Supply Chain Compromise: Compromise Software Dependencies and Development Toolsuses
- ttpT1199 Trusted Relationshipuses
- ttpT1059.007 Command and Scripting Interpreter: JavaScriptuses
- ttpT1027 Obfuscated Files or Informationuses
- ttpT1140 Deobfuscate/Decode Files or Informationuses
- ttpT1105 Ingress Tool Transferuses
- ttpT1552.001 Unsecured Credentials: Credentials In Filesuses
- ttpT1552.005 Unsecured Credentials: Cloud Instance Metadata APIuses
- ttpT1528 Steal Application Access Tokenuses
- ttpT1606.002 Forge Web Credentials: SAML Tokensuses
- ttpT1041 Exfiltration Over C2 Channeluses
- ttpT1567.001 Exfiltration to Code Repositoryuses
- ttpT1098 Account Manipulationuses
- ttpT1610 Deploy Containeruses
- ttpT1546 Event Triggered Executionuses
- ttpT1480.001 Execution Guardrails: Environmental Keyinguses
- ttpT1518.001 Software Discovery: Security Software Discoveryuses
- ttpSelf-Propagation via Trusted Publishing Wormuses
- ttpSpoofed User-Agent on GitHub APIuses
