Miasma worm infects Red Hat npm packages, steals credentials

Multiple @redhat-cloud-services npm packages were modified to include an obfuscated preinstall hook that harvests secrets and installs a self-propagating worm, according to analyses by Aikido Security, JFrog, Microsoft, OX Security, SafeDep, StepSecurity and Wiz.

The affected packages include vulnerabilities-client, tsc-transform-imports, topological-inventory-client, sources-client, rule-components, remediations-client and rbac-client. Evidence indicates a Red Hat employee GitHub account was compromised and used to push orphan commits to two RedHatInsights repositories, which allowed the malicious payload to be injected into package releases without normal code review.

The preinstall hook collects GitHub Actions secrets, npm tokens, cloud credentials for GCP and Azure, Kubernetes and Vault data, SSH keys, Git credentials and other environment files. Each infection generates a uniquely encrypted payload that is transmitted to api.anthropic.com:443/v1/api, with GitHub used as a fallback channel for exfiltration.

SafeDep found the npm payload performs an OIDC token exchange, queries whoami endpoints, repackages artifacts into an update tarball and signs the modified package through Sigstore. The code uses the GitHub API to enumerate repositories writable by compromised tokens, read workflow files via GraphQL and create commits through the createCommitOnBranch mutation so injected workflows appear as verified, signed changes.

Stolen data has been pushed to public attacker repositories described as Miasma: The Spreading Blight. OX Security identified the earliest commit containing that string on May 29, 2026. Socket researchers compared the campaign to earlier Shai-Hulud activity and highlighted shared tactics of install-time execution, credential harvesting, CI/CD targeting, encrypted exfiltration and downstream propagation.

The malware attempts privilege escalation by launching a container that bind-mounts the host /etc/sudoers.d to grant passwordless sudo for CI runners. It checks for endpoint protection products such as CrowdStrike, SentinelOne, Carbon Black and StepSecurity Harden-Runner before executing payloads. Persistence measures include injecting a SessionStart hook into Anthropic Claude Code settings and adding a Visual Studio Code tasks.json entry with runOn set to folderOpen so the malicious code runs during developer sessions.

Attribution remains unclear because TeamPCP, the group linked to the original Shai-Hulud worm, has released related tools publicly, which can allow other actors to reuse them. Wiz analysts reported the Miasma variant added collectors for GCP and Azure identities that gather all cloud identities accessible to the infected host.

Responders are advised to isolate hosts running affected package versions, remove the malicious releases, rotate exposed credentials and suspend affected CI/CD workflows. Teams should invalidate build artifacts created during the exposure window, audit for suspicious GitHub or npm activity and search for persistence artifacts such as ~/.claude/settings.json, .vscode/tasks.json, .github/workflows/codeql.yml and .github/setup.js. Uninstalling the npm package or deleting node_modules may not remove background execution or developer-tool persistence.