Miasma Backdoored 95 Red Hat npm Packages. It's Mini Shai-Hulud With a New Coat of Paint.

On June 1, Wiz Research confirmed that 95 versions across 32 packages published under the official Red Hat Cloud Services npm namespace had been backdoored. The packages cumulatively average eighty thousand weekly downloads. Anyone who ran npm install against a compromised version during the window got a credential-stealing worm that immediately began harvesting cloud identities and attempting to spread itself to any other packages the victim had publish access to.

The malware is called Miasma. It is Mini Shai-Hulud with the Dune references stripped out and Greek mythology substituted in. The underlying tradecraft and the actor — TeamPCP — are the same.

Here is how it happened.

A Red Hat employee's GitHub account was compromised. The attacker used that access to push malicious commits to official Red Hat repositories. The commits injected a preinstall script into the npm package builds — which means the malicious code runs the moment a developer installs the package, before any application code executes, before any security scanning that runs after installation. The attack fires at install time, when trust is highest and attention is lowest.

The confirmed malicious commits include SHA 8bf051251ec3b973e39a313547e53421a2f8d2f6 to RedHatInsights/frontend-components at 10:53 UTC, and SHA 608d01124cd6b5b8c55888e984b4c4d9b06fa686 to RedHatInsights/javascript-clients two minutes later. A second wave landed at 13:44 UTC with SHA ab9903d9edc720d1e11ea7d3d3e7a1c456f44ff7. These are the insertion points. Any developer who installed from those commits is compromised.

The payload does three things.

First it steals credentials — classic Mini Shai-Hulud behavior, sweeping for browser sessions, stored tokens, SSH keys, environment files, and anything else on the infected machine that represents authenticated access.

Second, it specifically targets cloud identities. Miasma added new collectors not present in the original Mini Shai-Hulud that pull every GCP service account and every Azure identity the infected machine has access to. A developer's laptop typically has access to significantly more cloud infrastructure than their personal credentials suggest — because CI/CD pipelines, service accounts, and assumed roles are frequently cached or accessible from a dev environment. The attacker is not just stealing the developer's credentials. They are stealing every door the developer could open.

Third, it attempts to spread. If the infected machine can publish to npm — because the developer has publish rights on other packages — Miasma tries to push compromised versions of those packages too. This is the worm behavior that gives Mini Shai-Hulud its name. One infected developer can become many infected packages.

The Red Hat packages themselves touch significant infrastructure. The namespace includes client libraries for compliance, vulnerability management, host inventory, RBAC, remediations, entitlements, and frontend components used across the Red Hat Hybrid Cloud Console. Organizations running these packages in their CI/CD pipelines or installing them on developer machines should treat any install from the compromised version window as a potential credential compromise — not just for the developer but for everything the developer's environment can access.

Wiz confirmed that most malicious versions have been revoked. Two remained live at time of reporting. The fix is to update to clean versions and rotate every credential that touched an affected machine.

The connection to what we wrote yesterday is direct.

In the Salesloft analysis we documented how a single compromised third-party SaaS tool — Context.ai — gave an attacker access to Vercel through a trust relationship, and how a single compromised SaaS platform — Salesloft — gave an attacker access to 760 organizations through OAuth tokens stored in the source code. Miasma is the same architecture applied to the npm ecosystem. One compromised GitHub account. One compromised namespace. Ninety-five poisoned packages. Every developer who ran install during the window, and every cloud environment their machine could reach.

The attacker does not need to breach your infrastructure. They need to find something your infrastructure trusts that they can compromise first.

The four git commit hashes from the confirmed malicious pushes are in our corpus as of this morning. If you pull the STIX feed, you have them.

The honest advice for anyone running packages from the Red Hat Cloud Services namespace: check your install logs against the affected version list, assume any developer machine that installed a compromised version has been used to access cloud infrastructure through credentials that should now be considered burned, and rotate accordingly. The worm behavior means the exposure is not bounded by how many developers installed the package. It is bounded by how many packages those developers could publish to.

That is the part that makes Miasma different from a standard credential stealer. It is not trying to compromise your machine. It is trying to use your machine to compromise the machines of everyone who trusts you.

How do AI models see YOUR brand?

AIPM has audited 250+ domains. 15 seconds. Free while still in beta.

Audit your site now → aipmsec.com