On June 1, 2026, 32 packages under Red Hat's official @redhat-cloud-services npm namespace published new versions without Red Hat's knowledge. Each one carried a preinstall hook that executed before a single line of application code ran. By the time the incident was contained, the worm had mutated twice, jumped to PyPI, compromised 73 Microsoft GitHub repositories, and been spotted inside the configuration files for AI coding assistants including Claude Code, GitHub Copilot, and Gemini CLI.
The worm is called Miasma. It is still active.
Background
Miasma is derived from Mini Shai-Hulud, a supply chain attack toolkit that a threat group called TeamPCP open-sourced in May 2026 — publishing a working worm framework for anyone to adapt and operate. The Miasma operators extended it with a polymorphic payload engine, a GitHub-native C2 channel, AI coding tool hooks, and a dead man's switch. Supply chain attack tooling now follows the same open-source evolution model as defensive security tooling.
The five waves
Wave 1 (June 1 — Red Hat npm, 32 packages). A Red Hat developer's npm OIDC token was compromised. The worm republished backdoored versions across 32 packages; each preinstall script harvested credentials, then used the victim's own npm token to propagate to the next project in their access scope.
Wave 2 (June 3 — Phantom Gyp, 57 packages). Instead of preinstall, the second wave hid execution inside a malicious binding.gyp file — 157 bytes that triggered a node-gyp native build and downloaded an alternate Bun runtime to execute the credential stealer. This bypassed tooling that audited lifecycle scripts.
Wave 3 (June 5 — Microsoft GitHub, 73 repositories). The worm injected SessionStart hooks into the configuration files of 13 AI coding tools. Opening an infected repository in Claude Code, Gemini CLI, Cursor, or VS Code triggered the payload without running any explicit install command.
Wave 4 (June 7 — PyPI, Hades variant, 37 packages). Hades used Python .pth startup hooks — code that runs on every Python interpreter start, not just at install time. A compromised package installed once would execute its payload every time any Python script ran on the machine.
Wave 5 (June 24 — Leo Platform, 20+ packages). The czirker npm account was compromised and used to publish backdoored versions of 20+ packages in three seconds — automated publishing tooling on stolen credentials.
How Miasma works
Delivery hook: All vectors execute with the privileges of the developer's session: access to ~/.aws/credentials, .env files, SSH keys, and every cached token. The preinstall/postinstall scripts run automatically during npm install. The AI tool SessionStart hooks fire when a developer opens a repository. Most developers treat both as background noise.
Polymorphic payload: The credential stealer targets over 30 credential paths — AWS, Azure, GCP, GitHub PATs, npm and PyPI publish tokens, Kubernetes service account tokens, CI/CD platform tokens. Every infection produces a uniquely encrypted payload with a fresh AES-GCM key. No stable file hashes means signature-based endpoint detection is useless.
Worm propagator: After credential harvest, the worm enumerates every npm organization and GitHub repository the victim's tokens can access, republishes backdoored versions of every accessible package, and pushes infected commits to every accessible repository — automatically, within seconds. One compromised developer account seeds dozens of downstream projects.
The dead man's switch
After establishing persistence, the worm plants a honeytoken labeled "IfYouInvalidateThisTokenItWillNukeTheComputerOfTheOwner." If that token is revoked — the correct first response to any credential compromise — the worm executes rm -rf ~/; rm -rf ~/Documents.
This is deliberate deterrence. The correct response is to revoke all credentials anyway and rebuild from backup. Plan for it before you need to execute it.
Command and control: GitHub itself
Miasma uses the GitHub Contents API to receive commands and exfiltrate data, rotating across 16 attacker-controlled GitHub accounts per session. Credential data is written to build artifacts in compromised GitHub Actions workflows. The traffic is indistinguishable from normal GitHub CLI usage. There are no external C2 domains to block.
What to do right now
If your organization uses npm, PyPI, or AI coding assistants and developers have installed packages from affected namespaces since June 1, treat the following as mandatory:
Revoke and rotate all credentials first — npm publish tokens, GitHub PATs, AWS/Azure/GCP service account keys, CI/CD platform tokens, SSH keys, and anything in shell history or .env files. Accept the dead man's switch risk and have a backup restoration plan ready.
Audit .git/hooks and CI workflows. Any entry that did not exist before June 1 is a compromise indicator.
Block install scripts where possible. Add ignore-scripts=true to .npmrc. For projects requiring native builds, treat unexpected node-gyp rebuild steps as security events.
Check Python .pth files. Run python -c "import site; print(site.getsitepackages())" and inspect those directories for unexpected entries.
Review AI coding tool configurations. Audit SessionStart hook files for Claude Code (~/.claude/CLAUDE.md and local .claude/ directories), VS Code workspace settings, and Cursor/Gemini CLI settings for any entries you did not put there.
Rebuild affected developer machines. The worm's persistence mechanisms survive credential rotation. A clean reinstall is the only reliable remediation.
Diff your SBOM against known affected packages. The @redhat-cloud-services packages (Wave 1), 57 Wave 2 packages, 37 PyPI wheels (Wave 4), and RStreams packages (Wave 5) are the primary artifacts to check.
The defenses that work are not signature-based: lockfiles and exact pinning (npm ci), install script blocking by default, SBOM-based inventory for rapid impact assessment, and short-lived credentials with a pre-planned rotation procedure. The toolkit is public. The C2 infrastructure is GitHub. The target is every developer's machine.
Lumstep's SCA scanner flags packages from known compromised namespaces and checks your SBOM against the affected version ranges from each Miasma wave. Trust scores surface packages with suspicious post-install scripts or anomalous publish behavior — the signals that precede the next wave before the security community has named it.
Ou laissez Lumstep s'en charger.
Connectez un repo et Lumstep le scanne automatiquement - secrets, dépendances, SBOM et qualité du code - et ouvre la PR de correction.