On 1 June 2026, Wiz Research identified a supply chain compromise affecting multiple packages published under the @redhat-cloud-services npm namespace. Investigation revealed that at least 32 package releases contained unauthorized modifications that do not match the corresponding source repositories. These packages cumulatively average ~80,000 weekly downloads.

Changelog

June 1, 2026 1PM UTC update: most malicious versions have been revoked, with 2 remaining as of writing.

June 1, 2026 2PM UTC update: Added Root Cause section with analysis.

June 1, 2026 2:20PM UTC update: Added information on second wave of commits.

June 1, 2026 3PM UTC update: Added second wave to table of impacted packages, as well as additional details about the payload.

What is Miasma?

Analysis of the compromised package versions identified a common malicious payload introduced across multiple affected releases. The packages contained newly added installation-time execution mechanisms, including preinstall scripts that automatically invoked a malicious index.js file during package installation. The payloads consisted of unusually large, heavily obfuscated JavaScript files employing eval() and ROT-based decoding techniques to conceal their functionality. 

The payload appears to be derived from the (Mini) Shai-Hulud malware open-sourced by TeamPCP. The observed modifications are largely cosmetic, with references to the Dune universe replaced by Greek mythology themes (i.e "spartan"), while the underlying functionality and tradecraft remain substantially similar. This variant creates repositories containing the description Miasma: The Spreading Blight.

One of the main changes in this new variant is the addition of new data collectors focused on cloud identities. Specifically, collectors for GCP and Azure identities were added that collect all identities the infected machine has access to. While previous versions of the malware primarily focused on extracting secrets from these environments, this variant suggests an increased attacker focus on gaining and leveraging access to the cloud itself.

In addition, the malware now generates a uniquely encrypted payload for each infection, making hash-based IOCs useful only for a specific package version. Unlike previous variants that simply copied themselves, this approach makes detection and version tracking significantly more difficult.

Root Cause

Evidence indicates that a specific Red Hat employee GitHub account was compromised and used to inject the malware into these packages. The compromised account pushed malicious orphan commits to two RedHatInsights repositories, bypassing code review. This happened across two waves of activity.

These contained a minimal workflow that requested an OIDC token for npm publishing:

name: release
on:
  push:
    branches: ['*']
jobs:
  release:
    runs-on: ubuntu-latest
    permissions:
      id-token: write
      contents: read
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
      - uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6
      - name: prepare
        run: bun run _index.js
        env:
          OIDC_PACKAGES: "@redhat-cloud-services/frontend-components, ..."

The workflow triggered on push to any branch, requested GitHub's OIDC identity token via id-token: write, then executed an obfuscated payload (_index.js) that published packages with valid SLSA provenance attestations. This resembles TeamPCP’s previous attack against Tanstack, which also included the production of valid SLSA provenance attestations.

Attribution

The observed tradecraft is consistent with TTPs associated with TeamPCP's "Mini Shai-Hulud" npm supply chain campaign. However, because TeamPCP publicly released details and code related to the Mini Shai-Hulud operation, other threat actors may be able to replicate or adapt the same techniques. As a result, the similarities observed in this incident should be treated as evidence of TTP overlap rather than definitive attribution to TeamPCP, and the possibility of a copycat actor leveraging publicly available tooling and methodologies cannot be ruled out.

What Steps Should Security Teams Take?

• Organizations should immediately investigate developer workstations, CI/CD environments, and repositories for signs of compromise. Teams should audit systems for the affected packages, GitHub Actions, and VSCode extensions, while also reviewing GitHub activity for unauthorized repositories, newly created access tokens, or suspicious workflow executions.

• Because the malware targets developer credentials and secrets, organizations should assume potential exposure of GitHub tokens, SSH keys, cloud credentials, and CI/CD secrets, and rotate them accordingly.

• Finally, organizations should strengthen software supply chain defenses by implementing dependency allowlisting, SBOM generation, package verification, and improved monitoring of developer and build environments.

How Can Wiz Help?

Wiz customers can use the pre-built queries and advisory in the Wiz Threat Intel Center to search for relevant instances in their environment. Wiz Research will continue to update that advisory as the situation develops. 

Indicators of Compromise

• Attacker created repositories description: Miasma: The Spreading Blight

• User-agent used for GCP querying: google-api-nodejs-client/7.0.0 gl-node/20.11.0 gccl/7.0.0

Affected Packages