Miasma
Miasma is a credential-stealing, self-propagating npm supply-chain worm and a variant or descendant of the open-sourced Mini Shai-Hulud malware framework. It was observed in June 2026 in compromises of the @redhat-cloud-services npm namespace, where at least 32 packages and 96 malicious versions were published, and in a subsequent broader npm campaign affecting additional packages. Multiple reports state the malware was introduced through malicious npm preinstall hooks or, in later reporting, abuse of binding.gyp execution during npm install. In the Red Hat incident, evidence indicated a compromised Red Hat employee GitHub account was used to push orphan commits and malicious GitHub Actions workflows that abused GitHub OIDC trusted publishing to publish trojanized packages with valid SLSA provenance. The malware self-identified with the marker "Miasma: The Spreading Blight."
Miasma is heavily obfuscated and multi-stage. Reports describe large obfuscated JavaScript droppers around 4.2-4.5 MB that used ROT-based decoding, eval, AES-128-GCM, and additional custom string or cipher layers. The malware downloaded the Bun runtime and executed later stages through Bun, creating a node-to-shell-to-bun process chain intended to evade Node-focused monitoring. Some reporting states each infection generated a uniquely encrypted payload, limiting the usefulness of hash-based IOCs.
Its primary purpose is credential and secret theft rather than disruption. Across the reporting, Miasma targeted GitHub and GitHub Actions tokens and secrets, npm tokens, AWS, GCP, and Azure credentials, HashiCorp Vault tokens, Kubernetes configuration and tokens, CircleCI and other CI/CD secrets, SSH keys, Docker credentials, GPG keys, .env contents, browser or wallet data, and local developer secrets such as ~/.npmrc, ~/.docker/config.json, ~/.kube/config, and ~/.ssh. Multiple sources state it scraped GitHub Actions runner memory on Linux to recover masked secrets, and some reporting notes attempts at privilege escalation via passwordless sudo and defense evasion such as /etc/hosts modification. Linux-based developer and CI/CD environments appear to have been a primary target.
Miasma also retains worm-like propagation behavior from Mini Shai-Hulud. It used stolen npm tokens, including tokens with bypass_2fa capability, to enumerate packages the victim could publish and republish them with the malicious payload. Reporting also states it could inject malicious workflow files or setup scripts into accessible GitHub repositories and create repositories bearing the description "Miasma: The Spreading Blight." Some analyses additionally reported persistence or backdoor mechanisms involving Claude Code, Cursor, Gemini, and VS Code configuration files.
Attribution remains uncertain. Multiple sources link the malware lineage and tradecraft to TeamPCP's Mini Shai-Hulud tooling, but also explicitly note that the framework was publicly released, enabling copycat actors. High-confidence indicators mentioned in the reporting include the campaign marker "Miasma: The Spreading Blight," GitHub repositories created with that description, attacker-controlled GitHub infrastructure including github.com/liuende501 in one campaign, Bun download URLs for bun-v1.3.13, the decoy token string "IfYouInvalidateThisTokenItWillNukeTheComputerOfTheOwner," and in one report the fake User-Agent "python-requests/2.31.0."
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
What is Miasma? Analysis of the compromised package versions identified a common malicious payload introduced across multiple affected releases... The payload appears to be derived from the (Mini) Shai-Hulud malware open-sourced by TeamPCP... This variant creates repositories containing the description Miasma: The Spreading Blight.
Techniques & procedures
30 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
5 techniquesUse stolen maintainer credentials to create and publish malicious package artifacts.
The executed code scans for and attempts to exfiltrate the following: AWS, GCP, and Azure cloud credentials
Shai-Hulud has re-emerged in a campaign with 281 malicious package versions across the npm ecosystem. This latest wave is part of the campaign dubbed “Miasma: The Spreading Blight” and abuses trust in open source packages to spread through software supply chains.
The attack compromised 57 npm packages across more than 286 malicious versions on June 3, 2026.
allowing attackers to publish trojanized packages through the legitimate GitHub Actions OpenID Connect (OIDC) publishing workflow. As a result, the malicious packages carried authentic provenance signatures
Execution
5 techniquesInstead of hiding inside package.json scripts, the attacker weaponized a tiny configuration file called binding.gyp to trigger malicious code the moment a developer runs npm install.
each compromised package added a preinstall script that ran a bloated, heavily obfuscated index.js loader, which then pulled down and executed a payload
The infection begins automatically during npm install, where the malicious preinstall hook executes node index.js without requiring user interaction.
Persistence
4 techniquesUse stolen maintainer credentials to create and publish malicious package artifacts.
The executed code scans for and attempts to exfiltrate the following: AWS, GCP, and Azure cloud credentials
The attack begins in package.json , where a weaponized preinstall hook automatically executes during npm install, allowing the malware to run through both direct and transitive dependency installation.
Privilege Escalation
5 techniquesUse stolen maintainer credentials to create and publish malicious package artifacts.
The executed code scans for and attempts to exfiltrate the following: AWS, GCP, and Azure cloud credentials
The attack begins in package.json , where a weaponized preinstall hook automatically executes during npm install, allowing the malware to run through both direct and transitive dependency installation.
Privilege escalation : It installs a passwordless sudo rule to obtain elevated privileges and maintain deeper system control.
echo ‘runner ALL=(ALL) NOPASSWD:ALL’ > /mnt/runner ... sudo -n true
Stealth
6 techniquesThe payload is buried under four layers of obfuscation including a ROT cipher, AES-128-GCM encryption, and a runtime-switching trick that downloads the Bun JavaScript runtime in under one second to execute the final stage outside of Node.js.
The attacker embedded a shell command using gyp’s own command substitution syntax, silently launching a malicious payload while returning a fake source filename so the build shows no errors.
Use stolen maintainer credentials to create and publish malicious package artifacts.
The executed code scans for and attempts to exfiltrate the following: AWS, GCP, and Azure cloud credentials
Defense Impairment
1 techniqueCredential Access
5 techniquesThe executed code scans for and attempts to exfiltrate the following: GitHub Actions secrets and access tokens ... npm and CircleCI tokens, plus other CI/CD secrets
API Endpoint http://169.254.169.254/latest/api/token AWS IMDSv2 endpoint targeted for cloud credential harvesting API Endpoint http://169.254.169.254/metadata/identity Azure IMDS endpoint targeted for cloud credential harvesting
Once active, the malware operates as a comprehensive credential harvester purpose-built for CI/CD environments, targeting AWS keys, GCP credentials, Azure tokens, HashiCorp Vault tokens, GitHub Actions secrets, and 1Password vaults.
The malware also attempted to propagate by compromising additional maintainer packages... republished poisoned packages with forged Supply-chain Levels for Software Artifacts (SLSA) provenance to continue downstream propagation.
It uses stolen npm tokens to enumerate every package a compromised maintainer owns, inject the binding.gyp payload into each one, and republish with forged SLSA provenance and Sigstore signing.
Discovery
3 techniquesThe payload locates the GitHub Actions Runner.Worker PID using /proc scanning
One of the main changes in this new variant is the addition of new data collectors focused on cloud identities. Specifically, collectors for GCP and Azure identities were added that collect all identities the infected machine has access to.
Validate stolen credentials and enumerate accessible repositories, services, and permission levels.
Lateral Movement
1 techniqueThe malware republishes packages owned by the compromised maintainer using forged provenance metadata, effectively allowing the threat to spread like a worm across trusted package ecosystems.
Command and Control
1 techniqueThe payload is buried under four layers of obfuscation including a ROT cipher, AES-128-GCM encryption, and a runtime-switching trick that downloads the Bun JavaScript runtime in under one second to execute the final stage outside of Node.js.
Exfiltration
3 techniquesCollect system, user, developer configuration, and CI/CD environment data. Search for GitHub access tokens, package registry authentication tokens, and cloud-related secrets.
Stolen credentials are encrypted and uploaded to programmatically created repositories under the attacker-controlled GitHub account liuende501.
Channel A (victim-owned repo drop): Creates a public repo in the victim’s GitHub account (“Miasma: The Spreading Blight”) and commits stolen credential JSON to results/<timestamp>-<counter>.json .
Impact
1 techniqueIf the malware detects interaction with a planted decoy token, it triggers a destructive fail-safe command ( rm -rf ~/ ) intended to wipe the victim’s home directory.
Other
1 techniqueIOCs tracked for this family
32 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
13 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A self-replicating npm supply-chain worm that executes during npm install via a malicious binding.gyp trigger. It steals CI/CD and cloud credentials, exfiltrates them to attacker-controlled GitHub repositories, uses stolen npm tokens to republish additional packages, forges supply-chain provenance/signing metadata, and injects backdoor configuration files into AI coding assistants.
A variant of Mini Shai-Hulud that uses a malicious npm preinstall hook and multistage loader to exfiltrate secrets from GitHub, cloud, SSH, Kubernetes, Vault, npm, and CI/CD environments, while self-propagating by republishing packages the victim can publish.
A credential-stealing, self-propagating npm supply-chain worm delivered via malicious preinstall hooks. It uses multi-layer obfuscation, decrypts embedded payloads executed via Bun, steals credentials from cloud/dev environments and GitHub Actions runner memory, exfiltrates data over HTTPS and the GitHub Contents API, and republishes malicious packages using stolen npm tokens with bypass_2fa enabled.
Credential-stealing malware delivered via compromised npm packages in Red Hat's @redhat-cloud-services namespace. It targets Linux-based developer and CI/CD environments by searching for SSH keys, registry credentials, cloud credentials, Kubernetes configs, and CI/CD secrets.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.