Miasma worm: live coverage of the Red Hat npm attack

The names are borrowed and a little dramatic, so here is the plain version.

Shai-Hulud is the name of the worm family, not a single attack. The phrase is lifted from Frank Herbert's Dune, where it is the giant sandworm, and the attackers chose it themselves: the original September 2025 payload literally created a malicious GitHub repo called "Shai-Hulud" on every machine it infected. What makes something a Shai-Hulud worm is the self-replication. It does not just steal secrets; it uses the npm publish tokens it steals to poison the next maintainer's packages automatically, so the infection jumps from package to package without a human pushing it along. That is why people call it a worm rather than just malware. Seven separate Shai-Hulud campaigns have run in roughly ten months, escalating from a few hundred repos to the 26,000-repo "Second Coming" in November 2025.

Miasma is the specific strain we are covering on this page, the one that hit Red Hat in early June 2026. Think of Shai-Hulud as the species and Miasma as the individual animal. What sets Miasma apart from earlier Shai-Hulud waves is how it got in: instead of phishing a maintainer's token, it hijacked Red Hat's GitHub Actions OIDC trusted publishing, the keyless mechanism that is supposed to be the safer way to publish, and used it to ship 96 backdoored @redhat-cloud-services versions in seventy-two seconds. Each one carries a preinstall hook that runs a Bun-based credential stealer, which then spreads using whatever it grabs. Same worm bloodline, nastier entry point.

If you want the people behind it rather than the code, that is TeamPCP, and we go deep on them in the threat-actor piece.

A reader pointed us at reporting that ties Miasma to North Korea. The link is real, but it is not what the headline suggests, and the distinction matters.

There is a second, unrelated crew hitting npm right now. On June 3, Microsoft Threat Intelligence flagged two malicious packages, [email protected] and [email protected], that deploy a remote access trojan and exfiltrate stolen keystrokes, wallets, and cloud credentials through Hugging Face's own dataset API, so the traffic looks like ordinary machine-learning activity. OX Security and Socket attribute that cluster, nicknamed MicrosoftSystem64, to FAMOUS CHOLLIMA, the DPRK-linked group also tracked as Contagious Interview that lures developers with fake job interviews. It has been rotating npm accounts since at least April, from js-logger-pack through the current toskypi and hexalpha10 identities, all pointing at the same C2 at 195.201.194[.]107.

So is North Korea behind Miasma? No. FAMOUS CHOLLIMA and TeamPCP are different actors using different delivery: the DPRK crew leans on postinstall hooks and Hugging Face as a dead drop, while Miasma hijacks Red Hat's OIDC trusted publishing. What connects them is the technique, abusing infrastructure you already trust, and that is exactly why TeamPCP open-sourcing the Shai-Hulud playbook is the real story. A method that used to take a state-grade team is now a public template, and the campaigns are arriving in parallel from crews that have never met. The through-line is not the flag on the operator. It is the trust model the whole ecosystem still runs on. We unpack that in our piece on the crew behind the worm.

Miasma is not a one-off. It is the latest move by TeamPCP, the financially motivated cybercrime crew tracked by Unit 42 as TGR-CRI-1135 and by Mandiant as UNC6780. The group has run at least seven Shai-Hulud supply chain campaigns in ten months, from the first self-replicating npm worm in September 2025 to the 26,000-repo "Second Coming" in November to the May 2026 TanStack cluster that scored a CVSS 9.6 and shipped malware carrying valid SLSA provenance.

The turning point came on May 15, when TeamPCP published the worm's source code on GitHub and bankrolled a BreachForums contest paying criminals to use it. That hands everyone a built-in alibi: every new incident now arrives with the question of whether it was the original crew or a contest entrant. Our read is that Miasma's sophistication, the OIDC trusted-publishing hijack, the heavy obfuscation, the reused dead-drop pattern, points to TeamPCP or an operator indistinguishable from it. Either way, the lesson is that attribution stopped being the useful question.

We pulled the full picture together in a separate piece on who TeamPCP is and how the lineage escalated.

The latest mutation, documented by SafeDep this morning, drops the npm package step altogether and targets developer tooling directly. A commit titled chore: update dependencies [skip ci] landed in icflorescu/mantine-datatable and four sibling repositories inside a 49 second window, adding six files that carry 1,459 GitHub stars between them.

Five of the six files exist only to launch the sixth. The payload is .github/setup.js, a 4.3 MB dropper. The triggers around it each abuse a legitimate auto-run feature of a different tool:

• .claude/settings.json and .gemini/settings.json: a SessionStart hook that runs node .github/setup.js when an agent session opens.
• .cursor/rules/setup.mdc: an always-applied rule that instructs the agent to run the file. That is a prompt injection shipped inside the repository.
• .vscode/tasks.json: a task set to runOn: folderOpen, so no agent is even needed.
• package.json: the test script is rewired to node .github/setup.js, so CI detonates it too.

Cloning the repository is safe. Opening it is not. A developer who clones the project to debug an issue and opens the folder runs the payload with no further interaction. Treat unexpected .claude/, .gemini/, .cursor/, and .vscode/ files in a diff as supply chain signals, not editor noise.

At the time of writing, BleepingComputer reports 309 GitHub repositories have been compromised by the campaign, and the count is still climbing.

The worm dumps what it steals into fresh public repositories that act as dead drops, each tagged with the description Miasma: The Spreading Blight. SafeDep and StepSecurity have catalogued several of the accounts holding them: liuende501 with 236 repos, windy629 with more than 200, and HerGomUli. Some of those repos carry a second, reversed string, niagA oG eW ereH :duluH-iahS, which reads back as "Shai-Hulud: Here We Go Again". OX Security separately counted 210 repositories already holding harvested credentials, a rough floor for how many developers have been infected.

This is the trap. SafeDep's root-cause analysis found the attacker published each package three times. The first two waves were unpublished after the fact, but the third wave bumped the patch number and remains the live latest on npm. [email protected], [email protected], and [email protected] all still ship the preinstall dropper.

Upgrading to the latest patch installs the payload rather than removing it. Worse, every malicious version carries valid npm provenance, so npm audit signatures reports them as verified. Provenance attests to how a package was built, not that the build was authorized.

Deleting node_modules is not enough either. Because the payload installs editor and CI persistence, anyone who installed an affected version should treat the host as compromised, isolate it, and rotate every credential it could reach.

On June 3 the campaign ran two parallel arms off the same stolen tokens. The npm arm, analysed by StepSecurity and JFrog, poisoned 57 packages across 286 or more versions and hid the trigger in a binding.gyp file rather than a package.json lifecycle script. When npm finds a binding.gyp and no install hook, it falls back to node-gyp rebuild, which executes shell commands embedded in the file, firing the payload before most lifecycle-script scanners ever look.

The maintainer jagreehal alone had more than 50 npm packages compromised in that wave, including @vapi-ai/server-sdk, which sees over 408,000 monthly downloads. The second arm is the editor-focused GitHub push covered in the newest update above.

Several firms published payload breakdowns. Wiz noted the standout change: new collectors for GCP and Azure cloud identities, a shift from grabbing secrets toward seizing the cloud accounts themselves. Socket traced exfiltration to api.anthropic[.]com:443/v1/api, a domain typosquatting the real Anthropic endpoint, with GitHub as a fallback channel. The fallback commits the stolen data with a taunting message: IfYouInvalidateThisTokenItWillNukeTheComputerOfTheOwner:<token>.

The worm also checks for CrowdStrike, SentinelOne, Carbon Black, and StepSecurity Harden-Runner before acting, attempts a Docker-socket container escape that grants the CI runner passwordless sudo, and avoids running on Russian-language systems, the same tell seen in the GlassWorm campaigns. Separately, threat-intel firm WhiteIntel disclosed that an active Red Hat GitHub credential and session cookie had surfaced in infostealer logs on April 13 and May 15, weeks before the attack.

In a statement to BleepingComputer, Red Hat said it had removed the packages and that the damage was contained:

The packages are strictly limited to internal development, and the malicious code was never published for customer consumption via the console.redhat.com system. While our investigation is ongoing, we have not identified any impact to customer or partner environments or Red Hat production systems.

Maintainers published clean versions of all 32 packages. Red Hat did not answer questions about how the account was compromised in the first place.

Here is the mechanism end to end, pieced together from SafeDep, Aikido, and The Hacker News.

1. Initial access. A Red Hat employee's GitHub account was compromised. The attacker pushed orphan commits straight to RedHatInsights repositories, bypassing code review.
2. The publish trick. On three repos (javascript-clients, frontend-components, platform-frontend-ai-toolkit) the attacker created short-lived oidc-<hex> branches and rewrote the trusted CI workflow into a self-publishing job with id-token: write, running a Bun worm.
3. Token exchange. That job swapped the workflow's GitHub OIDC token for an npm publish token, then for each target package downloaded the real tarball, injected a preinstall: node index.js hook plus a 4.3 MB dropper, and republished it with valid Sigstore provenance.
4. The root cause. npm trusted publishing binds trust to a repository plus a workflow filename, not to a branch. A malicious branch running the same ci.yml filename was issued a publish token and signed as legitimate.

On a victim machine the dropper runs at install time: a ROT-9 string is passed to eval, which decrypts two AES-128-GCM blobs, downloads Bun 1.3.13 from its official GitHub release, and runs a credential harvester that scrapes AWS, Azure, GCP, Vault, Kubernetes, npm, GitHub, and SSH secrets before propagating onward.

The campaign surfaced publicly on Monday when Aikido and OX Security flagged backdoored builds across Red Hat's npm scope. ReversingLabs clocked the publish burst at 72 seconds for all 32 packages, almost certainly automated.

The numbers: 32 packages, 96 malicious versions, covering the entire Red Hat Hybrid Cloud Console JavaScript ecosystem with close to 10 million collective downloads and roughly 117,000 per week. Each package carried a preinstall hook that ran the stealer during npm install, before any application code, and the payload carried the signature string Miasma: The Spreading Blight.

Working backwards, OX Security found the first commit containing the Miasma: The Spreading Blight string on May 29, three days before public disclosure. The actor appears to have infected a repository early to test the tooling before the main run.

Two ingredients were in place before the attack. WhiteIntel detected an active Red Hat GitHub credential and session cookie in infostealer logs on April 13 and again on May 15. A session cookie matters because it represents an already-authenticated session that can be replayed without clearing MFA. WhiteIntel is careful to say it cannot confirm this exact credential was the one used, but the profile matches the reported initial access.

The second ingredient: the cybercrime group TeamPCP, also tracked as Replicating Marauder, TGR-CRI-1135, and UNC6780, had just open-sourced its Mini Shai-Hulud worm, the framework Miasma is built on. That release means anyone could be driving this campaign, which is exactly why nobody has named the actor with confidence.