On 1 June 2026, Wiz Research disclosed a supply-chain compromise of at least 32 package releases published under the @redhat-cloud-services npm namespace — libraries that cumulatively pull around 80,000 downloads a week. Two days later, related Miasma activity spread to unrelated maintainers in a Phantom Gyp wave tracked by StepSecurity. The detail developers should pay attention to is not that another npm namespace was poisoned; it is how. In the Red Hat wave, the attacker did not typosquat a lookalike package or rely on a stolen npm publish token. They took over the publishing pipeline itself and shipped malware that arrived with valid provenance attestations — the very signal teams have been told to trust.

What actually happened

The packages were not impostors; they were the real ones, briefly weaponised. According to Wiz, a Red Hat employee's GitHub account was compromised and used to push malicious orphan commits into two repositories in the RedHatInsights organisation, bypassing code review. Those commits added a minimal GitHub Actions workflow that triggered on a push to any branch, requested a short-lived GitHub OIDC identity token (id-token: write), and used it to publish tampered package versions to npm.

Because the publish happened from inside the legitimate CI pipeline, the malicious releases carried valid SLSA provenance attestations. Provenance is supposed to prove a package was built where and how it claims to have been — and here it truthfully recorded that the artifacts were built in the real repository's pipeline. The attestation was honest; the pipeline was the thing that had been subverted. That is the practical lesson of Miasma: provenance verifies the build path, not the intent of whoever controls it.

The payload itself was install-time code. The first wave used a preinstall script that invoked a heavily obfuscated index.js on npm install; a later wave, flagged by StepSecurity, switched to abusing binding.gyp — a native-addon build file — so that execution happened during installation without the preinstall/postinstall lifecycle hooks that scanners typically watch. StepSecurity calls that variant "Phantom Gyp." Either way, the code ran on the developer's machine or build runner the moment the dependency was installed.

Why this strain is worse than its parents

Wiz attributes the tradecraft to the lineage of TeamPCP's "Mini Shai-Hulud" worm — the malware was open-sourced, so this is best read as TTP overlap rather than confirmed authorship, and a copycat cannot be ruled out. The reskinned variant tags the repositories it creates with the description Miasma: The Spreading Blight, swapping the original's Dune references for Greek-mythology themes.

Two changes make it more difficult to defend than earlier Shai-Hulud variants. First, it added collectors for GCP and Azure identities, signalling a shift from merely scraping secrets toward enumerating and using cloud access directly. Second, it generates a uniquely encrypted payload per infection, so hash-based indicators are useful for only a single package version — a deliberate way to weaken signature-based detection. And like its predecessors it is wormable: it harvests npm tokens and GitHub credentials from each victim to publish the next round. The 3–4 June wave StepSecurity tracked compromised 57 packages across more than 286 malicious versions in under two hours, with the official @vapi-ai/server-sdk (over 408,000 monthly downloads) hit first, followed about an hour later by some 50 packages from another maintainer, including ai-sdk-ollama (over 120,000 monthly downloads).

How bad was the blast radius

Narrower than the headline namespace suggests, in one specific sense. Red Hat's advisory (RHSB-2026-006) confirms the compromised account injected code into its GitHub organisation, but states that "No release of the Hybrid Cloud Console was published during the compromise window," and that its publication process strips installation-time scripts before code is deployed to console.redhat.com. The affected packages are frontend libraries, and Red Hat says they are unrelated to its managed cloud services such as ROSA, OpenShift Dedicated and ARO; based on current findings, it told customers no action was required. Based on Red Hat's current findings, its hosted console and managed cloud services were not the affected surfaces; the clearer exposure sat with downstream developers and CI systems that installed the tampered npm versions directly. Red Hat said engineering removed the compromised versions from npm and that product-security analysis was continuing. Independent counts vary by method: security firm Aikido, cited by Cybersecurity Dive, tallied 96 compromised versions across the 32 packages with accumulated downloads above 116,000, while Palo Alto's Unit 42 situates the episode in the steady escalation of npm worm campaigns since Shai-Hulud first appeared in late 2025.

The dependency-hygiene that actually moves the needle

If the attack path is a hijacked pipeline and an install-time script, then the defences that matter are the ones that blunt exactly those two things:

  • Treat install scripts as hostile by default. Install with --ignore-scripts where your toolchain allows, and maintain an explicit allowlist of the few dependencies that genuinely need build steps. This neutralises both the preinstall and the binding.gyp execution paths.

  • Add a version cooldown. Don't let CI pull a version published minutes ago. A quarantine window (deny installs of releases younger than, say, 24–72 hours) would have side-stepped the entire two-hour worm wave.

  • Pin and verify. Commit lockfiles, enforce integrity hashes, and check provenance — but treat provenance as necessary, not sufficient. As Miasma shows, a valid attestation says the build path was real, not that the maintainer authorised it.

  • Lock down CI identity. The OIDC token was the actual weapon. Scope id-token permissions to the specific jobs that publish, require protected branches and reviewed workflows, and alert on workflow files that appear on unexpected branches.

  • Assume credential exposure and rotate. Any environment that installed an affected version should rotate npm tokens, GitHub PATs, SSH keys and cloud credentials, and audit for unfamiliar repositories, tokens or workflow runs — the standard Wiz remediation.

For teams across the region building AI applications on exactly these kinds of SDKs, the practical point is that "popular and official" is not a safety property; the AI-tooling packages caught in the second wave were popular precisely because they were trusted.

Key Takeaways

  • The Miasma attack compromised at least 32 @redhat-cloud-services npm packages (~80,000 weekly downloads) on 1 June 2026 by hijacking a maintainer's GitHub account and CI pipeline — not by typosquatting or stealing a publish token.

  • Malicious versions shipped with valid SLSA provenance because they were built inside the real pipeline; provenance proves the build path, not the publisher's intent.

  • A 3–4 June wave dubbed Phantom Gyp spread to 57 packages and 286+ versions in under two hours, including popular AI SDKs @vapi-ai/server-sdk and ai-sdk-ollama, using binding.gyp to evade lifecycle-script scanners.

  • Red Hat's hosted Hybrid Cloud Console and managed services were not affected; the real exposure fell on downstream developers and CI systems that installed the tampered npm versions.

  • The highest-leverage defences: ignore install scripts by default, add a version cooldown, pin and verify, tightly scope CI OIDC tokens, and rotate credentials after exposure.