On June 1, 2026, we detected multiple official packages from the @redhat-cloud-services scope on npm were compromised with a credential-stealing worm. Over 30 packages seem to be affected. The malware appears similar to the Mini Shai-Hulud malware that was recently open-sourced by TeamPCP. Since the tooling was made publicly available, other threat actors now have access to the same techniques and can replicate or adapt them. The packages were published via GitHub Actions OIDC, indicating the CI/CD pipeline was compromised rather than an npm token. If you have installed any affected package versions since June 1, 2026, treat all CI secrets, cloud credentials, SSH keys, and npm tokens as compromised and rotate them immediately.
Timeline of the Mini Shai-Hulud campaign
- April 22, 2026 - @bitwarden/cli compromised via a poisoned GitHub Actions workflow. The payload self-identifies as "Shai-Hulud: The Third Coming."
- April 29, 2026 - Four SAP npm packages compromised through an npm token leaked via a malicious CircleCI pull request build.
- April 30, 2026 - PyTorch Lightning compromised on PyPI, versions 2.6.2 and 2.6.3.
- May 12, 2026 - Mini Shai-Hulud Hits over 160 Packages, including Mistral and Tanstack.
- May 12, 2026 - TeamPCP publishes the full Shai-Hulud source code to GitHub, alongside posts on BreachForums encouraging others to run their own campaigns.
- May 19, 2026 - Microsoft's DurableTask npm package compromised, caused by a previously compromised GitHub account.
- June 1, 2026 - Over 30
@redhat-cloud-servicesnpm packages compromised with Miasma, a new variant of Mini Shai-Hulud.
Miasma: Is Shai-Hulud back?
The payload embedded across the affected packages has strong resemblances to Mini Shai-Hulud, the supply chain malware open-sourced by TeamPCP. Interestingly, this version calls itself "Miasma" and appears to have replaced the familiar Dune references of Shai-Hulud with Greek mythology.
TeamPCP is a threat actor group that has been running targeted CI/CD supply chain attacks for several months. Their Mini Shai-Hulud malware is a sophisticated credential-stealing worm that spreads by republishing backdoored versions of packages the victim account has access to. We have previously reported on compromises affecting Mistral and TanStack, Microsoft's Durable Task, PyTorch Lightning, Bitwarden CLI, and Intercom, all traced back to the same tooling.
When TeamPCP open-sourced Mini Shai-Hulud, the threat expanded beyond a single actor. Any group can now pick up the framework, adapt it, and deploy it against new targets.
The preinstall script
Each compromised package declares a preinstall script in its package.json that executes node index.js automatically on every npm install, before any application code runs and before the developer has any indication something is wrong.
"scripts": {
"preinstall": "node index.js"
}
The index.js file is 4.2 MB payload hidden behind multiple layers of obfuscation.
What it steals
As with previous Mini Shai-Hulud attacks, the payload performs a broad credential sweep across cloud providers, CI/CD environments, and developer tooling. On the CI side it targets GitHub Actions secrets including GITHUB_TOKEN and ACTIONS_RUNTIME_TOKEN. For cloud credentials it collects AWS access keys and session tokens, GCP application default credentials and service account key files, and Azure service principal credentials and managed identity tokens. It also sweeps for HashiCorp Vault tokens, Kubernetes service account tokens and kubeconfig files, npm and PyPI publish tokens, SSH private keys, Docker registry credentials, GPG keys, and any .env files it can find across the filesystem.
How Aikido detects this
If you are an Aikido user, check your central feed and filter on malware issues. This will surface as a 100/100 critical issue. Aikido rescans nightly, but we recommend triggering a manual rescan now.
If you are not yet an Aikido user, you can create an account and connect your repos. Our malware coverage is included in the free plan, no credit card required.
For broader coverage across your whole team, Aikido's Device Protection gives you visibility and control over the software packages installed on your team's devices. It covers browser extensions, code libraries, IDE plugins, and build dependencies, all in one place. Stop malware before it gets installed.
For future protection, consider Aikido Safe Chain (open source). Safe Chain sits in your existing workflow, intercepting npm, npx, yarn, pnpm, and pnpx commands and checking packages against Aikido Intel before install.
Indicators of Compromise
If you have installed any of the following package versions, treat all CI secrets, cloud credentials, SSH keys, and npm tokens as compromised and rotate them immediately:
@redhat-cloud-services/chrome 2.3.1
@redhat-cloud-services/compliance-client 4.0.3
@redhat-cloud-services/config-manager-client 5.0.4
@redhat-cloud-services/entitlements-client 4.0.11
@redhat-cloud-services/eslint-config-redhat-cloud-services 3.2.1
@redhat-cloud-services/frontend-components 7.7.2
@redhat-cloud-services/frontend-components-advisor-components 3.8.2
@redhat-cloud-services/frontend-components-config 6.11.3
@redhat-cloud-services/frontend-components-config-utilities 4.11.2
@redhat-cloud-services/frontend-components-notifications 6.9.2
@redhat-cloud-services/frontend-components-remediations 4.9.2
@redhat-cloud-services/frontend-components-testing 1.2.1
@redhat-cloud-services/frontend-components-translations 4.4.1
@redhat-cloud-services/frontend-components-utilities 7.4.1
@redhat-cloud-services/hcc-feo-mcp 0.3.1
@redhat-cloud-services/hcc-kessel-mcp 0.3.1
@redhat-cloud-services/hcc-pf-mcp 0.6.1
@redhat-cloud-services/host-inventory-client 5.0.3
@redhat-cloud-services/insights-client 4.0.4
@redhat-cloud-services/integrations-client 6.0.4
@redhat-cloud-services/javascript-clients-shared 2.0.8
@redhat-cloud-services/notifications-client 6.1.4
@redhat-cloud-services/patch-client 4.0.4
@redhat-cloud-services/quickstarts-client 4.0.11
@redhat-cloud-services/rbac-client 9.0.3
@redhat-cloud-services/remediations-client 4.0.4
@redhat-cloud-services/rule-components 4.7.2
@redhat-cloud-services/sources-client 3.0.10
@redhat-cloud-services/tsc-transform-imports 1.2.2
@redhat-cloud-services/types 3.6.1
@redhat-cloud-services/vulnerabilities-client 2.1.8
