Multiple Red Hat Cloud Services npm Packages Compromised to Deploy Credential-Stealing Malware

A significant supply chain attack on June 1, 2026, targeting over 30 official packages under the @redhat-cloud-services npm scope.

The campaign, dubbed “Miasma: The Spreading Blight,” is a new variant of the Mini Shai-Hulud malware family a sophisticated credential-stealing worm previously linked to threat actor group TeamPCP.

This is not a typosquatting campaign. The attackers hijacked a legitimate, trusted npm namespace and published backdoored versions of widely-used frontend components, API clients, and developer tooling.

According to Aikido and JFrog detections, the malicious packages were published via GitHub Actions OIDC tokens, indicating the CI/CD pipeline itself was compromised, not individual developer accounts.

Each poisoned package embeds a preinstall lifecycle hook in its package.json:

json"scripts": { "preinstall": "node index.js" }

This executes a 4.2 MB obfuscated payload automatically during every npm install, before any application code runs. The loader uses a multi-stage decryption chain — numeric character arrays, a ROT-style transform, and AES-128-GCM blobs — to evade static detection, before dropping a transient Bun-based payload to /tmp/p*.js for execution.

Once active, the malware performs a sweeping credential collection targeting:

• GitHub tokens — classic, fine-grained, and GitHub Actions OIDC tokens
• Cloud credentials — AWS access keys, GCP service account files, Azure service principal and managed identity tokens
• Infrastructure secrets — Kubernetes service account tokens and kubeconfig files, HashiCorp Vault tokens
• Developer tooling — npm and PyPI publish tokens, SSH private keys, Docker registry credentials, GPG keys, .env files across the filesystem

In cloud environments, the malware goes beyond static files. It actively queries AWS Secrets Manager, SSM Parameter Store, Azure Key Vault, and GCP Secret Manager when permissions allow. GitHub Actions runners are a prime target: the payload reads secrets directly from runtime process memory, bypassing workflow log masking entirely.

A notable evasion technique in this wave involves disguising exfiltration traffic to api.anthropic.com/v1/api — a legitimate-looking domain that blends into network logs at organizations using Anthropic services.

The /v1/api path is not a valid Anthropic route, suggesting attackers chose it purely for camouflage. Defenders should hunt for node or Bun processes contacting this host from CI runners or developer machines.

The malware also uses a GitHub dead-drop model, creating public repositories under victim accounts with the description Miasma: The Spreading Blight and committing stolen credentials as JSON result files.

The malware installs persistent monitoring services — kitty-monitor.service on Linux and com.user.kitty-monitor.plist on macOS — that poll for remote instructions. It also injects hooks into AI developer tools including Claude, Codex, Gemini, Copilot, Kiro, and opencode, and adds VS Code folder-open tasks that re-execute the payload.

Most critically, a destructive token monitor (gh-token-monitor) watches stolen GitHub tokens. If a token is revoked before persistence is removed, it can execute destructive commands such as wiping the user’s home directory.

Incident responders must isolate machines and remove persistence before revoking any tokens.

Indicators of Compromise

Any project that installed the following package versions on or after June 1, 2026 should be treated as compromised: Here is the complete IOC table for all 31 compromised @redhat-cloud-services npm packages:

Mitigation Steps

• Run npm uninstall on all affected packages and regenerate lockfiles from trusted metadata
• Use npm ci --ignore-scripts in CI pipelines as a temporary safeguard
• Remove kitty-monitor and gh-token-monitor persistence files from all affected machines before revoking tokens
• Inspect .claude/settings.json, .vscode/tasks.json, and ~/.config/index.js for injected hooks
• Audit npm and GitHub accounts for unexpected patch-version publishes or newly created repositories matching the Miasma: The Spreading Blight description
• Rotate all exposed credentials — GitHub tokens, npm tokens, cloud keys, SSH keys, Vault tokens, and Kubernetes service account tokens — only after persistence is confirmed removed
• Rebuild affected CI runners and developer workstations from clean images