Miasma Attack Poisons 32 Red Hat npm Packages
Key insights
- At least 32 @redhat-cloud-services npm packages were backdoored via a compromised Red Hat employee GitHub account, reaching ~80,000 weekly downloads.
- The attacker used GitHub Actions OIDC to generate valid SLSA provenance attestations, making tampered packages appear as formally verified releases.
- The Miasma payload appears derived from TeamPCP's open-sourced Mini Shai-Hulud worm and added new GCP and Azure cloud identity collectors.
Why this matters
The SLSA provenance bypass is the critical architectural finding: when an attacker controls the publishing identity, formally signed provenance becomes a mechanism for legitimizing malicious code rather than detecting it. Any organization with @redhat-cloud-services packages in CI/CD pipelines on June 1, 2026 should treat developer workstations and cloud credentials as compromised. The open-sourcing of TeamPCP's Mini Shai-Hulud malware toolkit has now produced a cloud-identity-targeting variant in the wild, demonstrating that public malware infrastructure materially accelerates attacker capability.
Summary
Wiz Research on June 1, 2026 found at least 32 @redhat-cloud-services npm packages backdoored with ~80,000 combined weekly downloads.
A compromised Red Hat employee GitHub account pushed malicious commits in two waves to three RedHatInsights repositories. GitHub Actions OIDC tokens let the attacker publish packages carrying valid SLSA provenance attestations, making poisoned releases appear formally verified.
Essentially: (Wiz Research, Red Hat) traced the payload to TeamPCP's Mini Shai-Hulud worm, rebranded 'Miasma' with new GCP and Azure cloud credential collectors.
- SLSA attestations covered the tampered releases, defeating standard provenance checks.
- Preinstall scripts fire obfuscated eval()/ROT-decoded JavaScript at install time.
When the publishing identity is compromised, SLSA provenance becomes a trust vector, not a defense.
Potential risks and opportunities
Risks
- Organizations that ran npm install against @redhat-cloud-services packages on June 1, 2026 face GCP and Azure credential exposure with no disclosed remediation timeline from Red Hat.
- Valid SLSA provenance attestations on the tampered releases mean automated security gates at downstream firms likely passed the compromised packages without alerting.
- The open-sourced Mini Shai-Hulud codebase lowers the barrier for follow-on variants -- other high-download npm namespace maintainers are now demonstrably targetable via the same OIDC publishing attack pattern.
Opportunities
- Supply chain security vendors offering anomalous publish detection and OIDC scope auditing gain direct sales leverage -- this incident proves provenance attestations alone cannot be trusted when the upstream account is compromised.
- GitHub and npm have a clear engineering case to build publish-time controls that validate OIDC token scope against expected repository state, rather than treating attestation existence as sufficient trust.
- Enterprises can now make a concrete ROI argument for dependency allowlisting and continuous package integrity monitoring, two controls that would have flagged the unexpected npm publishes on June 1.
What we don't know yet
- How the Red Hat employee GitHub account was initially compromised -- whether phishing, credential stuffing, or OAuth app abuse -- is not disclosed in the June 1 report.
- Which credential types beyond GCP and Azure were harvested by the Miasma variant -- the article notes new cloud identity collectors were added but does not enumerate all targeted credential stores.
- No count of downstream organizations or infected developer environments has been disclosed, leaving the actual blast radius of the June 1 incident unknown.
Originally reported by wiz.io
Read the original article →Original headline: Miasma: Supply Chain Attack Compromises 32 RedHat npm Packages via GitHub Actions OIDC, Harvests Cloud Credentials