A new mini Shai-Hulud supply chain attack campaign, codenamed Steamhas compromised the @redhat-cloud-services package to steal credentials and secrets from developer machines and distribute a self-propagating worm.
“This is effectively a mini Shai-Hulud campaign: it uses the same basic tactics of install-time execution, credential harvesting, CI/CD targeting, encrypted exfiltration, and potential downstream propagation,” Sockett said.
Who exactly is behind the attack activity is currently unknown, as TeamPCP, a notorious cybercrime group, has open-sourced the attack tools associated with the Shai-Hulud worm, opening the door for other threat actors to carry out similar attacks and making definitive attribution difficult.
The names of some affected packages are listed below –
- @redhat-cloud-services/vulnerabilities-client
- @redhat-cloud-services/tsc-transform-import
- @redhat-cloud-services/topological-inventory-client
- @redhat-cloud-services/source-client
- @redhat-cloud-services/rules-components
- @redhat-cloud-services/remediations-client
- @redhat-cloud-services/rbac-client
According to analyzes by Aikido Security, JFrog, Microsoft, OX Security, SafeDep, StepSecurity, and Viz, the npm package contains an obfuscated preinstall hook designed to collect GitHub action secrets, npm tokens, cloud credentials, Kubernetes and vault contents, ssh keys, git credentials, and other sensitive files.
As previously seen in mini Shai-Hulud waves, the malware also includes encrypted exfiltration logic that passes data to “api.anthropic”.[.]com:443/v1/api” and uses GitHub as a fallback mechanism. This indicates attempts by the attacker to steal credentials and weaponize them to further poison the software supply chain.
“This commits the encrypted result envelope via the GitHub API,” Socket said. “The commit message may include: ifYouInvalidateThisTokenItWillNukeTheComputerOfTheOwner:<टोकन>“
Another notable step taken by the malware is to avoid execution on Russian-language systems, a pattern also seen in Glassworm supply chain campaigns.
“For npm, the payload calls the OIDC token exchange and Huami endpoints, repackages a tarball (updatetarball, package-updated.tgz), and signs the artifact via SIGSTORE,” SafeDep said. “The stolen credentials are infiltrated into public GitHub repositories created by the attacker, each containing a description of Miasma: The Spreading Blight.”
OX Security noted that the first commit containing the string “Miasma: The Spreading Blight” appeared on May 29, 2026, indicating that either this variant was active by then, or the threat actor began testing at the same time.
For GitHub, the malware enumerates the repositories the token can write to, reads the Action.yml/action.yaml via GraphQL, and performs a workflow via the createCommitOnBranch mutation so that the commit appears as a verified, signed change. Other actions taken by malware are listed below –
- Try escalating privileges by launching a container that bind-mounts the host /etc/sudoers.d and provides passwordless sudo to the CI runner
- Check endpoint protection from CrowdStrike, SentinelOne, Carbon Black and StepSecurity hard-runners before launching malicious actions
- Establish persistence by injecting a SessionStart hook into Anthropic Cloud Code and a Tasks.json with “runOn”: “folderOpen” for Microsoft Visual Studio Code projects to automatically launch the malware during every session.
“One of the main changes in this new variant is the addition of new data collectors focused on cloud detection,” the Viz researchers said. “Specifically, collectors were added for GCP and Azure identities that collect all identities that have access to the infected machine. While previous versions of the malware focused primarily on extracting secrets from these environments, this version suggests an increased focus by the attacker on gaining and leveraging access to the cloud.
Unlike previous versions, the malware has also been found to generate a unique encrypted payload for each infection, making detection and version tracking significantly more challenging.
Evidence shows that the GitHub account of a Red Hat employee compromised of Patient Zero was used to inject payloads into these packages. The compromised account is said to have pushed malicious orphan commits to two RedHatInsights repositories, bypassing code review.
It is recommended to isolate the host that installed the affected versions, remove the malicious versions, rotate exposed credentials, review for any signs of suspicious GitHub or npm activity, audit the environment for persistence artifacts that include changes to configuration files (~/.cloud/settings.json, .vscode/tasks.json, .github/workflows/codeql.yml, .github/setup.js), and enforce strong access. Control.
“Because the malware includes background execution and potential developer-tools persistence mechanisms, uninstalling an npm package or removing node_modules should not be considered sufficient cleanup,” Sockett explained.
“For CI/CD systems, suspend affected workflow runs, invalidate build artifacts produced during the exposure window, and review whether any releases, container images, npm packages, or deployment artifacts were created after the malicious package was installed.”
