Mini Shai-Hulud "Miasma: The Spreading Blight" Hits @redhat-cloud-services: Multiple Packages at Risk - Real-time Open Source Software Supply Chain Security<br>Login Book a Demo 1.5k

Back<br>Vet<br>Scan and govern your dependencies across every PR and build.

PMG<br>Block malicious packages at install-time, before they enter your codebase.

xbom<br>Generate AI-enriched BOMs using real code evidence, not just manifests.

GRYPH<br>Monitor every AI coding agent action across your projects and workflows.

BackDiscover & Monitor<br>SCA & SBOMScan dependencies, generate SBOMs, enforce policy.

AI Agent DiscoverySee every AI tool and SDK in your org.

AI Agent MonitoringAudit every action your AI agents take.

Protect<br>Developer SecurityBlock malicious packages at install-time.

CI/CD SecurityBlock malicious packages in your pipeline.

MCP ServerBlock threats inside your AI coding agent.

Agent APIThreat intelligence API for custom agents.

Threat IntelligenceReal-time malicious package verdicts.

Govern<br>Endpoint ProtectionPackage events & AI inventory in the cloud.

PlatformCentralized policies, dashboard, compliance.

Login Book a Demo 1.5k

Back to Blog

Mini Shai-Hulud "Miasma: The Spreading Blight" Hits @redhat-cloud-services: Multiple Packages at Risk<br>Malware

SafeDep Team<br>• Jun 1, 2026 • 11 min read

Table of Contents

TL;DR<br>On June 1, 2026, an attacker abused npm’s GitHub Actions trusted publishing to ship malicious versions of 32 @redhat-cloud-services packages, 64 versions in total, every one carrying valid npm provenance. The root cause is in the provenance itself: npm binds trusted publishing to a repository plus a workflow filename, not to a branch. The attacker pushed short-lived oidc- branches to three RedHatInsights repositories (javascript-clients, frontend-components, platform-frontend-ai-toolkit), and on each branch rewrote the trusted CI workflow into a self-publishing job that ran a Bun worm with id-token: write. The worm exchanged the workflow’s OIDC token for npm publish tokens, then for each target repackaged the legitimate tarball with a malicious preinstall hook and republished it, provenance and all. The publishes came in two waves about three hours apart; the first wave was later unpublished, but the second wave is still the live latest for every affected package, so upgrading to the latest patch installs the payload.<br>The injected preinstall runs a 4.3 MB index.js that ROT-9 decodes a loader, AES-128-GCM decrypts a 634 KB Bun script, downloads the Bun runtime from GitHub, and executes it. The payload scans for AWS, Azure, GCP, HashiCorp Vault, Kubernetes, npm, GitHub, and password manager secrets, exfiltrates them to attacker-created public GitHub repositories, and self-propagates using the stolen credentials. [email protected] is the sample analyzed below; the full list of affected packages and versions is in the table at the end of this post.<br>Impact:<br>Executes on npm install before any other code runs, including in CI<br>Harvests cloud credentials (AWS IMDS, ECS, Secrets Manager, SSM; Azure managed identity; GCP service accounts), Vault tokens, Kubernetes service account tokens, GitHub PATs, npm tokens, and Bitwarden/gopass vaults<br>Exchanges GitHub Actions OIDC tokens for npm publish tokens and signs malicious artifacts via Sigstore<br>Self-propagates by injecting .github/workflows/codeql.yml into accessible repositories and republishing tampered npm tarballs<br>Attempts Docker socket container escape and installs AI-agent persistence<br>Indicators of Compromise (IoC):<br>Package: @redhat-cloud-services/[email protected]<br>Tarball SHA256: 031ba872d5a84bfb18115f432811e4b45180346a1bae653f7fd85f918e7bb3a3<br>index.js SHA256: df1732f5bfec12e066be44dee02ec8a243e4868d38672c1b1d065359dd735a14<br>Decrypted payload SHA256: 0dc06ecdaa63fe24859cfd955053c23245c536e4733480239d14bebf12688e35<br>Hardcoded AES-128-GCM keys: fe0d71d57ecf4fa0a433185bf59a03f5, f5e5dca9b725ec18514c4b322ed35d2b<br>Bun download: github.com/oven-sh/bun/releases/download/bun-v1.3.13/<br>Runtime artifacts: /tmp/p.js, /tmp/b-/bun, /tmp/kitty-<br>Worm fingerprints: branch chore/add-codeql-static-analysis, injected .github/workflows/codeql.yml, pinned actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd, .claude/settings.json and .vscode/tasks.json persistence<br>Exfil repo description: Miasma: The Spreading Blight<br>Anti-analysis env vars: __FAKE_PLATFORM__, TESTING_TAR_FAKE_PLATFORM, __IS_DAEMON, SKIP_DOMAIN<br>The injection is one line in package.json<br>The diff between 4.0.3 and 4.0.4 is small. The attacker added a preinstall hook and nothing else in the manifest:<br>package/package.json1

"scripts": {

"doc": "typedoc"

"doc": "typedoc",

"preinstall": "node index.js"

},

preinstall runs before dependency resolution finishes and before any application code. On a developer laptop or a CI runner, npm install is enough to trigger the full chain. The main entry point still points at ./index.js, the package’s normal barrel file, except that file is no longer a barrel file. In 4.0.3 it is 7.9...