Miasma Attack Hits Red Hat npm Packages | SnykYou need to enable JavaScript to run this app.Skip to main content<br>Snyk Blog
In this article
Written by<br>Brian Clark
June 1, 2026<br>0 mins read<br>On June 1, 2026, researchers identified malicious code embedded in at least 32 package releases published under the @redhat-cloud-services npm namespace, a set of frontend components and API clients that power the Red Hat Hybrid Cloud Console. The compromised releases carry a preinstall script that runs an obfuscated payload the moment a package is installed, harvesting developer and cloud credentials and attempting to spread itself to other packages the victim can publish. The affected packages average roughly 80,000 downloads per week combined, so the blast radius reaches well beyond Red Hat's own pipelines.<br>The campaign has been named Miasma , and its payload is a lightly reskinned descendant of the (Mini) Shai-Hulud worm that TeamPCP open-sourced earlier this year. If you have installed any @redhat-cloud-services package, or built a project that depends on one, treat this as an active incident and assume any secrets that touched the affected machines are exposed.<br>TL;DR<br>What: Malicious code (self-propagating worm + credential stealer) embedded in published npm releases.
Namespace: @redhat-cloud-services (Red Hat Hybrid Cloud Console frontend components and API clients).
Scope: At least 32 package releases across the namespace, ~80,000 combined weekly downloads. Pushed in two waves.
CVE: None assigned. Tracked through Snyk advisories. Snyk rates the lead advisory at 9.3 (Critical, CVSS v4.0) with an exploit maturity of Attacked .
Root cause: A compromised Red Hat employee GitHub account pushed malicious orphan commits that requested an npm-publishing OIDC token and published packages with valid SLSA provenance.
Status: Most malicious versions had been revoked from npm within hours of disclosure; a small number remained live as analysis continued. Investigation is ongoing.
Action: Pin away from affected versions, reinstall with scripts disabled, and rotate every credential that was reachable from an affected workstation or CI runner.
What happened<br>The packages in the @redhat-cloud-services namespace are build-time dependencies for the Hybrid Cloud Console: shared React components (@redhat-cloud-services/frontend-components, frontend-components-utilities, frontend-components-notifications), generated API clients (rbac-client, host-inventory-client, compliance-client, and roughly two dozen more), and supporting tooling. Several of them pull meaningful traffic on their own. As a quick sanity check on the reported scope, the npm downloads API puts the largest packages, like @redhat-cloud-services/types, in the five-figures-per-week range:<br>1# https://api.npmjs.org/downloads/point/last-week/@redhat-cloud-services%2Ftypes<br>2curl -s "https://api.npmjs.org/downloads/point/last-week/@redhat-cloud-services%2Ftypes"<br>3# {"downloads":15060, ... }<br>Summing the last full week (May 25 to May 31, 2026) across the affected packages yields roughly 79,000 downloads, in line with the ~80,000 figure cited for this incident. The unauthorized modifications were first identified on June 1, 2026.<br>The malicious releases were published in two waves on June 1. By the time advisories went out, npm had revoked most of the bad versions, with a couple still live during analysis.<br>Technical details<br>The install-time trigger<br>Each compromised release adds an install-time hook. npm runs preinstall scripts automatically during npm install, before any of your own code executes, so simply resolving the dependency is enough to trigger the payload:<br>1{<br>2 "scripts": {<br>3 "preinstall": "node index.js"<br>4 }<br>5}<br>The index.js it invokes is an unusually large, heavily obfuscated JavaScript file. The author relied on eval() and ROT-based string decoding to hide the logic, a tradecraft pattern seen in earlier Shai-Hulud variants. Once decoded, the payload is a multi-stage credential collector and worm.<br>What the payload does<br>The functional core matches the (Mini) Shai-Hulud framework though references to Greek mythology have replaced the original Dune-themed cosmetic elements (such as the use of spartan). Newly created attacker repositories carry the description Miasma: The Spreading Blight , which is a useful hunting signal.<br>On execution, the payload:<br>Harvests secrets and credentials from the local environment and CI context: environment variables, ~/.npmrc tokens, SSH keys, GitHub tokens, and CI/CD secrets.
Enumerates cloud identities. The notable change in this variant is a pair of new collectors for GCP and Azure that enumerate every identity the infected host can assume, not just static secrets. Earlier variants focused on lifting credentials; this one is oriented toward mapping and reaching the cloud control plane itself.
Self-propagates. It queries the registry for other packages the compromised identity can publish and republishes them, carrying the same...