Dateline: June 2, 2026
How a Single GitHub Account Poisoned 80,000 Weekly npm Downloads
A trusted npm namespace just turned into a delivery system for malware. On June 1, researchers found that at least 32 package releases under Red Hat’s @redhat-cloud-services scope had been backdoored to steal credentials and worm their way into other projects.
The campaign goes by the name Miasma. The affected packages pull in roughly 80,000 downloads a week combined, so the reach goes far beyond Red Hat.
What Happened?
Wiz Research flagged the compromise on June 1. The attacker got in through a Red Hat employee’s GitHub account, then pushed malicious orphan commits to two RedHatInsights repositories across two separate waves. Because the commits were orphaned, they skipped code review entirely.
From there, the attacker used GitHub Actions OIDC tokens to publish the tampered packages. That detail matters. The poisoned releases carried valid SLSA provenance attestations, so they looked formally verified to anyone running a standard check.
The payload itself is a reskinned version of the Mini Shai-Hulud worm, the same credential-stealing tool that the threat group TeamPCP open-sourced earlier this year. The attacker swapped out the original Dune references for Greek mythology themes and renamed it Miasma. Functionally, it does the same dirty work, plus a little more.
Each compromised package runs an obfuscated preinstall script the moment it gets installed. The script harvests GitHub Actions secrets, npm tokens, and developer credentials, then tries to republish itself through any package the victim account can access. That is how the worm spreads.
The new twist is cloud. This variant added collectors for Google Cloud and Azure that scoop up every identity an infected machine can reach. It also generates a uniquely encrypted payload for each infection, which makes detection and version tracking much harder.
The Impact
Anyone who ran npm install against these packages on June 1 may have exposed their GCP and Azure credentials, npm tokens, and CI/CD secrets. Because the malware republishes itself, one infected developer can seed the next round of compromised packages without knowing it.
The bigger problem is trust. SLSA attestations are supposed to prove a package is legitimate. Here, the attacker held a valid publishing identity, so the attestations validated tampered code. When the upstream account is compromised, provenance stops being a defense and becomes a way to make malware look clean.
Most malicious versions had been revoked within hours, but as of the initial report Red Hat had not shared a remediation timeline, and nobody has confirmed how the GitHub account was breached in the first place.
How to Avoid This
If you pulled any @redhat-cloud-services package on June 1, treat your environment as exposed. Rotate npm tokens, GitHub Actions secrets, and any GCP or Azure credentials those machines could touch.
Pin your dependencies to known-good versions and use a lockfile so a surprise publish cannot sneak in. Where you can, disable install scripts by default, since the whole attack fires from a preinstall hook.
Do not lean on provenance attestations alone. Pair them with anomalous publish detection that flags a package version no one expected. Build an SBOM for your projects so you actually know what you are shipping, and keep eyes on your build and developer environments for odd behavior.
Don’t Let a Trusted Package Become Your Backdoor
Miasma worked because nobody was watching the upstream identity. Secure.com closes that blind spot before a poisoned dependency reaches your build.
- Generates an SBOM so you know every package in your stack and spot tampered releases fast
- Runs source code dependency checks to catch backdoored versions before they ship
- Flags overpermissioned OAuth and CI/CD tokens that attackers ride into your pipeline
- Watches GCP and Azure identities for the credential sprawl this worm hunts for
- Maps the blast radius of a compromise so you know exactly what to lock down
