{"slug": "mini-shai-hulud-miasma-the-spreading-blight-hits-redhat-cloud-services-multiple", "title": "Mini Shai-Hulud \"Miasma: The Spreading Blight\" Hits @redhat-cloud-services: Multiple Packages at Risk", "summary": "On June 1, 2026, an attacker exploited npm's trusted publishing mechanism to compromise 32 @redhat-cloud-services packages across 96 versions, injecting malicious preinstall hooks that execute a Bun-based worm upon npm install. The worm harvests cloud credentials, vault tokens, Kubernetes service account tokens, and other secrets, exfiltrating them to attacker-controlled GitHub repositories while self-propagating through injected CI workflows. The third wave of malicious publishes remains live as the latest versions, meaning any user upgrading to the current patch installs the payload.", "body_md": "# Mini Shai-Hulud \"Miasma: The Spreading Blight\" Hits @redhat-cloud-services: Multiple Packages at Risk\n\n### Table of Contents\n\n## TL;DR\n\nOn June 1, 2026, an attacker abused npm’s GitHub Actions trusted publishing to ship malicious versions of 32 `@redhat-cloud-services`\n\npackages, 96 versions in total, every one carrying valid npm provenance. The root cause is in the provenance itself: npm binds trusted publishing to a repository plus a workflow filename, not to a branch. The attacker pushed short-lived `oidc-<hex>`\n\nbranches to three RedHatInsights repositories (`javascript-clients`\n\n, `frontend-components`\n\n, `platform-frontend-ai-toolkit`\n\n), and on each branch rewrote the trusted CI workflow into a self-publishing job that ran a Bun worm with `id-token: write`\n\n. The worm exchanged the workflow’s OIDC token for npm publish tokens, then for each target repackaged the legitimate tarball with a malicious `preinstall`\n\nhook and republished it, provenance and all. The publishes came in three waves; the first and second waves were later unpublished, but the third wave is still the live `latest`\n\nfor every affected package, so upgrading to the latest patch installs the payload.\n\nThe injected `preinstall`\n\nruns a 4.3 MB `index.js`\n\nthat ROT-9 decodes a loader, AES-128-GCM decrypts a 634 KB Bun script, downloads the Bun runtime from GitHub, and executes it. The payload scans for AWS, Azure, GCP, HashiCorp Vault, Kubernetes, npm, GitHub, and password manager secrets, exfiltrates them to attacker-created public GitHub repositories, and self-propagates using the stolen credentials.\n\nis the sample analyzed below; the full list of affected packages and versions is in the table at the end of this post.[[email protected]](/cdn-cgi/l/email-protection)\n\n**Impact:**\n\n- Executes on\n`npm install`\n\nbefore any other code runs, including in CI - Harvests cloud credentials (AWS IMDS, ECS, Secrets Manager, SSM; Azure managed identity; GCP service accounts), Vault tokens, Kubernetes service account tokens, GitHub PATs, npm tokens, and Bitwarden/gopass vaults\n- Exchanges GitHub Actions OIDC tokens for npm publish tokens and signs malicious artifacts via Sigstore\n- Self-propagates by injecting\n`.github/workflows/codeql.yml`\n\ninto accessible repositories and republishing tampered npm tarballs - Attempts Docker socket container escape and installs AI-agent persistence\n\n**Indicators of Compromise (IoC):**\n\n- Package:\n`@redhat-cloud-services/`\n\n[[email protected]](/cdn-cgi/l/email-protection) - Tarball SHA256:\n`031ba872d5a84bfb18115f432811e4b45180346a1bae653f7fd85f918e7bb3a3`\n\n`index.js`\n\nSHA256:`df1732f5bfec12e066be44dee02ec8a243e4868d38672c1b1d065359dd735a14`\n\n- Decrypted payload SHA256:\n`0dc06ecdaa63fe24859cfd955053c23245c536e4733480239d14bebf12688e35`\n\n- Hardcoded AES-128-GCM keys:\n`fe0d71d57ecf4fa0a433185bf59a03f5`\n\n,`f5e5dca9b725ec18514c4b322ed35d2b`\n\n- Bun download:\n`github.com/oven-sh/bun/releases/download/bun-v1.3.13/`\n\n- Runtime artifacts:\n`/tmp/p<random>.js`\n\n,`/tmp/b-<random>/bun`\n\n,`/tmp/kitty-<random>`\n\n- Worm fingerprints: branch\n`chore/add-codeql-static-analysis`\n\n, injected`.github/workflows/codeql.yml`\n\n, pinned`actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd`\n\n,`.claude/settings.json`\n\nand`.vscode/tasks.json`\n\npersistence - Exfil repo description:\n`Miasma: The Spreading Blight`\n\n- Anti-analysis env vars:\n`__FAKE_PLATFORM__`\n\n,`TESTING_TAR_FAKE_PLATFORM`\n\n,`__IS_DAEMON`\n\n,`SKIP_DOMAIN`\n\n## The injection is one line in package.json\n\nThe diff between 4.0.3 and 4.0.4 is small. The attacker added a `preinstall`\n\nhook and nothing else in the manifest:\n\n`preinstall`\n\nruns before dependency resolution finishes and before any application code. On a developer laptop or a CI runner, `npm install`\n\nis enough to trigger the full chain. The `main`\n\nentry point still points at `./index.js`\n\n, the package’s normal barrel file, except that file is no longer a barrel file. In 4.0.3 it is 7.9 KB of `Object.defineProperty`\n\nre-exports. In 4.0.4 it is 4.3 MB:\n\nThe attacker removed the original exports and replaced the entire API surface.\n\n## Layer 1: ROT-9 over a char-code array\n\n`index.js`\n\nis a single statement. It maps a character-code array through `String.fromCharCode`\n\n, joins the result, Caesar-shifts by 9, and passes everything to `eval`\n\n:\n\nDecoding the array as data (never executing it) yields an async loader. It imports `node:crypto`\n\nand defines an AES-128-GCM helper, then decrypts two embedded blobs with hardcoded keys:\n\nStatic decryption of both blobs reproduces the published IoC hashes, confirming the keys:\n\n## Layer 2: download Bun, run the payload\n\nThe loader writes the larger blob (`_p`\n\n) to a random temp file and runs it under Bun. If Bun is not already present, it first evaluates the smaller blob (`_b`\n\n), which defines `getBunPath()`\n\n:\n\n`getBunPath()`\n\ndownloads a pinned Bun release straight from the official GitHub mirror, unzips it to a temp directory, and marks it executable:\n\nThe attacker ran the payload under Bun rather than Node. Bun bundles its own TypeScript runtime, fetch, crypto, and shell, so the worm doesn’t touch the victim’s Node installation.\n\n## The payload: a multi-cloud credential harvester\n\nThe attacker obfuscated the 634 KB payload with two stacked ciphers. The outer layer uses the obfuscator.io string-array scheme: hex-named variables, a self-rotating string table (2,219 entries, rotated to checksum `0x85d3f`\n\n), and a custom base64 alphabet (`abc…xyzABC…XYZ0-9+/`\n\n). The inner layer sits beneath it: a PBKDF2 + SHA-256-keystream S-box cipher installed onto `globalThis[\"f4abccab2\"]`\n\nunder a name pulled from the string array at runtime. PBKDF2 derives a 32-byte master key from hardcoded seed `P9`\n\nand salt `N9`\n\nat 200,000 iterations; decryption then runs three rounds of per-index SHA-256-keystream S-box substitution with plaintext chaining. Static analysis resolved all 1,577 string-array references and 371 `globalThis[\"f4abccab2\"]`\n\ncalls where the argument is a literal.\n\nDecode the 2,219 string-table entries statically (base64 with the custom alphabet, no execution) and you recover the literal set the payload operates on:\n\nThe table also lists the environment variables the worm reads (129 `process.env`\n\naccesses in total), including `NPM_TOKEN`\n\n, `GITHUB_TOKEN`\n\n, `CIRCLE_TOKEN`\n\n, `VAULT_ADDR`\n\n, `AWS_REGION`\n\n, and `ANTHROPIC_API_KEY`\n\n. AWS access key IDs are matched on the `AKIA`\n\nprefix. Beyond environment variables, the worm reads `~/.npmrc`\n\n, `~/.netrc`\n\n, and shell and database history files from disk. It also runs TruffleHog-style regex scans against harvested text: `gh[op]_`\n\nand `npm_`\n\ntoken prefixes, `AKIA`\n\nAWS key IDs, GCP service account JSON, Azure connection strings, Stripe `sk_`\n\n/`pk_`\n\nkeys, and database connection strings. The worm targets credentials from approximately 40 CI providers, including CircleCI, Travis CI, Jenkins, GitLab CI, Buildkite, and Vercel.\n\n## Self-propagation: npm republish and CI workflow injection\n\nTwo propagation paths sit in the same string table.\n\nFor npm, the payload calls the OIDC token exchange and whoami endpoints, repackages a tarball (`updateTarball`\n\n, `package-updated.tgz`\n\n), and signs the artifact through Sigstore. Stolen credentials exfiltrate to attacker-created public GitHub repositories, each carrying the description `Miasma: The Spreading Blight`\n\n. GitHub API calls use a spoofed `User-Agent: python-requests/2.31.0`\n\nheader to blend with typical automation traffic. The string table also contains Fulcio and Rekor hosts alongside provenance schema URLs:\n\nFor GitHub, the worm enumerates repositories the token can write to, reads `action.yml`\n\n/`action.yaml`\n\nvia GraphQL, and commits a workflow through the `createCommitOnBranch`\n\nmutation so the commit appears as a verified, signed change. The branch name, target file, and pinned Action commit are fixed:\n\nThe injected workflow pins `actions/checkout`\n\nto a specific commit hash rather than a tag, which looks like responsible supply-chain hygiene. A pull request claiming to add CodeQL static analysis reads as a security improvement, the kind of change a maintainer approves without close review.\n\n## Container escape, EDR awareness, and AI-agent persistence\n\nBeyond credential theft, the payload attempts privilege escalation. If it can reach the Docker socket, it launches a container that bind-mounts the host `/etc/sudoers.d`\n\nand grants the CI runner passwordless sudo:\n\nIt checks for endpoint protection before acting, probing for CrowdStrike, SentinelOne, Carbon Black, and StepSecurity Harden-Runner:\n\nIt also checks environment variables before executing sensitive operations. If `__FAKE_PLATFORM__`\n\n, `TESTING_TAR_FAKE_PLATFORM`\n\n, `__IS_DAEMON`\n\n, or `SKIP_DOMAIN`\n\nare set, the payload suppresses specific behaviors. The tripwire keeps the worm quiet inside automated analysis environments while it runs in production.\n\nFor persistence, the payload targets developer tooling. The string table includes `.claude/settings.json`\n\nwith a `SessionStart`\n\nreference and `.vscode/tasks.json`\n\n, the same AI-agent and editor hijack pattern SafeDep documented in the [Mini Shai-Hulud campaign](/mini-shai-hulud-strikes-again-314-npm-packages-compromised), plus the `/tmp/kitty-`\n\ndaemon path from that toolkit.\n\n## Root cause: how malicious versions shipped with valid provenance\n\nEvery malicious version carries a valid npm provenance attestation. The attestation is the artifact that explains the compromise, because it records the exact repository, workflow, commit, and trigger that minted the publish token. Pull the SLSA predicate for the malicious\n\nand compare it to the clean [[email protected]](/cdn-cgi/l/email-protection)`4.0.3`\n\n:\n\nSame repository, same workflow path, same `push`\n\ntrigger. The only difference is the ref: `4.0.3`\n\nwas built from `refs/heads/main`\n\n, `4.0.4`\n\nfrom `refs/heads/oidc-4d5900f3`\n\n, a branch that no longer exists (`git/ref/heads/oidc-4d5900f3`\n\nreturns 404). The head commit `608d011`\n\nis unsigned, persists as a dangling object, and added exactly two files.\n\n### The attacker rewrote the publish workflow on a throwaway branch\n\nDiffing `ci.yml`\n\nat `608d011`\n\nagainst `main`\n\nshows the entire CI pipeline replaced with a single self-publishing job:\n\nThe commit also added `_index.js`\n\n: a 4.2 MB file with the same `try{eval(function(s,n)...`\n\nROT-9 wrapper as the dropper. It is the worm. Run inside the workflow with `id-token: write`\n\n, it reads the `OIDC_PACKAGES`\n\nlist, exchanges the GitHub Actions OIDC token for an npm publish token through `https://registry.npmjs.org/-/npm/v1/oidc/token/exchange/package/`\n\n, then for each target downloads the legitimate tarball, injects the `preinstall`\n\nhook and the dropper `index.js`\n\n, and republishes with provenance.\n\n### Why npm accepted the token\n\nnpm GitHub Actions trusted publishing binds trust to **repository plus workflow filename**, not to a branch, ref, or protected environment. The OIDC certificate minted for the malicious run carries the subject `repo:RedHatInsights/javascript-clients:ref:refs/heads/oidc-4d5900f3`\n\nand the SAN `.../ci.yml@refs/heads/oidc-4d5900f3`\n\n. Because the workflow filename (`ci.yml`\n\n) matched the registered publisher, npm issued the publish right and signed provenance for it. The branch the workflow ran from was never checked. Provenance attests to how a package was built, not that the build was authorized, so `npm audit signatures`\n\nreports these malicious versions as verified.\n\n### Blast radius: three repositories, two waves each\n\nThe same pattern repeated across three RedHatInsights repositories, each with its own pair of throwaway `oidc-<hex>`\n\nbranches. Provenance refs from the attestations:\n\n| Repository | Workflow | Branches | Packages |\n|---|---|---|---|\n`javascript-clients` | `ci.yml` | `oidc-4d5900f3` , `oidc-6523a11b` | 15 (14 `*-client` + `javascript-clients-shared` ) |\n`frontend-components` | `ci.yaml` | `oidc-61fff775` , `oidc-af10000d` | 14 (`chrome` , `frontend-components*` , `types` , …) |\n`platform-frontend-ai-toolkit` | `release.yml` | `oidc-2530ec68` , `oidc-93b9a955` | 3 (`hcc-*-mcp` ) |\n\nEach repo got two runs roughly three hours apart. The first wave (e.g.\n\n) was unpublished afterward; the second wave (e.g. [[email protected]](/cdn-cgi/l/email-protection)\n\n) bumped the next patch number and remains the live [[email protected]](/cdn-cgi/l/email-protection)`latest`\n\n. Across 32 packages that is 96 malicious versions, and for every package the current `latest`\n\non npm is the third-wave payload.\n\n, [[email protected]](/cdn-cgi/l/email-protection)\n\n, and [[email protected]](/cdn-cgi/l/email-protection)\n\nall ship the [[email protected]](/cdn-cgi/l/email-protection)`preinstall`\n\ndropper and a ~4 MB `index.js`\n\n. Upgrading to the latest patch installs the payload rather than removing it.\n\n### Initial access remains the open question\n\nThe provenance proves the publish path. It does not prove how the attacker got write access to push branches into three RedHatInsights repositories. The head commits are unsigned and attributed to a real Red Hat engineer (`justinorringer`\n\n), but git author metadata is forgeable and normal pushes to these repos come from automation (`nacho-bot`\n\n, `platex-rehor-bot`\n\n), not that account.\n\n| Ecosystem | Package | Version | |\n|---|---|---|---|\n| 1 | npm | @redhat-cloud-services/chrome | 2.3.1 |\n| 2 | npm | @redhat-cloud-services/compliance-client | 4.0.3 |\n| 3 | npm | @redhat-cloud-services/config-manager-client | 5.0.4 |\n| 4 | npm | @redhat-cloud-services/entitlements-client | 4.0.11 |\n| 5 | npm | @redhat-cloud-services/eslint-config-redhat-cloud-services | 3.2.1 |\n| 6 | npm | @redhat-cloud-services/frontend-components | 7.7.2 |\n| 7 | npm | @redhat-cloud-services/frontend-components-advisor-components | 3.8.2 |\n| 8 | npm | @redhat-cloud-services/frontend-components-config | 6.11.3 |\n| 9 | npm | @redhat-cloud-services/frontend-components-config-utilities | 4.11.2 |\n| 10 | npm | @redhat-cloud-services/frontend-components-notifications | 6.9.2 |\n| 11 | npm | @redhat-cloud-services/frontend-components-remediations | 4.9.2 |\n| 12 | npm | @redhat-cloud-services/frontend-components-testing | 1.2.1 |\n| 13 | npm | @redhat-cloud-services/frontend-components-translations | 4.4.1 |\n| 14 | npm | @redhat-cloud-services/frontend-components-utilities | 7.4.1 |\n| 15 | npm | @redhat-cloud-services/hcc-feo-mcp | 0.3.1 |\n| 16 | npm | @redhat-cloud-services/hcc-kessel-mcp | 0.3.1 |\n| 17 | npm | @redhat-cloud-services/hcc-pf-mcp | 0.6.1 |\n| 18 | npm | @redhat-cloud-services/host-inventory-client | 5.0.3 |\n| 19 | npm | @redhat-cloud-services/insights-client | 4.0.4 |\n| 20 | npm | @redhat-cloud-services/integrations-client | 6.0.4 |\n| 21 | npm | @redhat-cloud-services/javascript-clients-shared | 2.0.8 |\n| 22 | npm | @redhat-cloud-services/notifications-client | 6.1.4 |\n| 23 | npm | @redhat-cloud-services/patch-client | 4.0.4 |\n| 24 | npm | @redhat-cloud-services/quickstarts-client | 4.0.11 |\n| 25 | npm | @redhat-cloud-services/rbac-client | 9.0.3 |\n| 26 | npm | @redhat-cloud-services/remediations-client | 4.0.4 |\n| 27 | npm | @redhat-cloud-services/rule-components | 4.7.2 |\n| 28 | npm | @redhat-cloud-services/sources-client | 3.0.10 |\n| 29 | npm | @redhat-cloud-services/topological-inventory-client | 3.0.10 |\n| 30 | npm | @redhat-cloud-services/tsc-transform-imports | 1.2.2 |\n| 31 | npm | @redhat-cloud-services/types | 3.6.1 |\n| 32 | npm | @redhat-cloud-services/vulnerabilities-client | 2.1.8 |\n| 33 | npm | @redhat-cloud-services/tsc-transform-imports | 1.2.4 |\n| 34 | npm | @redhat-cloud-services/types | 3.6.2 |\n| 35 | npm | @redhat-cloud-services/eslint-config-redhat-cloud-services | 3.2.2 |\n| 36 | npm | @redhat-cloud-services/frontend-components-testing | 1.2.2 |\n| 37 | npm | @redhat-cloud-services/frontend-components-remediations | 4.9.3 |\n| 38 | npm | @redhat-cloud-services/frontend-components-config | 6.11.4 |\n| 39 | npm | @redhat-cloud-services/frontend-components-config-utilities | 4.11.3 |\n| 40 | npm | @redhat-cloud-services/chrome | 2.3.2 |\n| 41 | npm | @redhat-cloud-services/frontend-components-translations | 4.4.2 |\n| 42 | npm | @redhat-cloud-services/frontend-components-notifications | 6.9.3 |\n| 43 | npm | @redhat-cloud-services/rule-components | 4.7.3 |\n| 44 | npm | @redhat-cloud-services/frontend-components-advisor-components | 3.8.4 |\n| 45 | npm | @redhat-cloud-services/frontend-components-utilities | 7.4.2 |\n| 46 | npm | @redhat-cloud-services/frontend-components | 7.7.3 |\n| 47 | npm | @redhat-cloud-services/entitlements-client | 4.0.12 |\n| 48 | npm | @redhat-cloud-services/config-manager-client | 5.0.5 |\n| 49 | npm | @redhat-cloud-services/quickstarts-client | 4.0.12 |\n| 50 | npm | @redhat-cloud-services/integrations-client | 6.0.5 |\n| 51 | npm | @redhat-cloud-services/javascript-clients-shared | 2.0.9 |\n| 52 | npm | @redhat-cloud-services/notifications-client | 6.1.5 |\n| 53 | npm | @redhat-cloud-services/patch-client | 4.0.5 |\n| 54 | npm | @redhat-cloud-services/sources-client | 3.0.11 |\n| 55 | npm | @redhat-cloud-services/host-inventory-client | 5.0.4 |\n| 56 | npm | @redhat-cloud-services/vulnerabilities-client | 2.1.9 |\n| 57 | npm | @redhat-cloud-services/rbac-client | 9.0.4 |\n| 58 | npm | @redhat-cloud-services/remediations-client | 4.0.5 |\n| 59 | npm | @redhat-cloud-services/insights-client | 4.0.5 |\n| 60 | npm | @redhat-cloud-services/compliance-client | 4.0.4 |\n| 61 | npm | @redhat-cloud-services/topological-inventory-client | 3.0.11 |\n| 62 | npm | @redhat-cloud-services/hcc-kessel-mcp | 0.3.2 |\n| 63 | npm | @redhat-cloud-services/hcc-pf-mcp | 0.6.2 |\n| 64 | npm | @redhat-cloud-services/hcc-feo-mcp | 0.3.2 |\n| 65 | npm | @redhat-cloud-services/tsc-transform-imports | 1.2.6 |\n| 66 | npm | @redhat-cloud-services/types | 3.6.4 |\n| 67 | npm | @redhat-cloud-services/eslint-config-redhat-cloud-services | 3.2.4 |\n| 68 | npm | @redhat-cloud-services/frontend-components-testing | 1.2.4 |\n| 69 | npm | @redhat-cloud-services/frontend-components-remediations | 4.9.5 |\n| 70 | npm | @redhat-cloud-services/frontend-components-config | 6.11.6 |\n| 71 | npm | @redhat-cloud-services/frontend-components-config-utilities | 4.11.5 |\n| 72 | npm | @redhat-cloud-services/chrome | 2.3.4 |\n| 73 | npm | @redhat-cloud-services/frontend-components-translations | 4.4.4 |\n| 74 | npm | @redhat-cloud-services/frontend-components-notifications | 6.9.5 |\n| 75 | npm | @redhat-cloud-services/rule-components | 4.7.5 |\n| 76 | npm | @redhat-cloud-services/frontend-components-advisor-components | 3.8.6 |\n| 77 | npm | @redhat-cloud-services/frontend-components-utilities | 7.4.4 |\n| 78 | npm | @redhat-cloud-services/frontend-components | 7.7.5 |\n| 79 | npm | @redhat-cloud-services/entitlements-client | 4.0.14 |\n| 80 | npm | @redhat-cloud-services/config-manager-client | 5.0.7 |\n| 81 | npm | @redhat-cloud-services/quickstarts-client | 4.0.14 |\n| 82 | npm | @redhat-cloud-services/integrations-client | 6.0.7 |\n| 83 | npm | @redhat-cloud-services/javascript-clients-shared | 2.0.11 |\n| 84 | npm | @redhat-cloud-services/notifications-client | 6.1.7 |\n| 85 | npm | @redhat-cloud-services/patch-client | 4.0.7 |\n| 86 | npm | @redhat-cloud-services/sources-client | 3.0.13 |\n| 87 | npm | @redhat-cloud-services/host-inventory-client | 5.0.6 |\n| 88 | npm | @redhat-cloud-services/vulnerabilities-client | 2.1.11 |\n| 89 | npm | @redhat-cloud-services/rbac-client | 9.0.6 |\n| 90 | npm | @redhat-cloud-services/remediations-client | 4.0.7 |\n| 91 | npm | @redhat-cloud-services/insights-client | 4.0.7 |\n| 92 | npm | @redhat-cloud-services/compliance-client | 4.0.6 |\n| 93 | npm | @redhat-cloud-services/topological-inventory-client | 3.0.13 |\n| 94 | npm | @redhat-cloud-services/hcc-kessel-mcp | 0.3.4 |\n| 95 | npm | @redhat-cloud-services/hcc-pf-mcp | 0.6.4 |\n| 96 | npm | @redhat-cloud-services/hcc-feo-mcp | 0.3.4 |\n| No matching rows |\n\n## References\n\n- npm\n- oss\n- malware\n- supply-chain\n- shai-hulud\n\n### Author\n\n#### SafeDep Team\n\nsafedep.io\n\n### Share\n\n## The Latest from SafeDep blogs\n\nFollow for the latest updates and insights on open source security & engineering\n\n[Miasma Worm Targets AI Coding Agents via GitHub Repos](/miasma-worm-ai-coding-agent-config-injection)\n\nA Miasma worm variant injects a 4.3 MB dropper into GitHub repos across multiple maintainers, wiring it to auto-run through Claude Code, Gemini, Cursor, and VS Code config files. No npm package is...\n\n[Inside MicrosoftSystem64: A Supply Chain RAT Exfiltrating to HuggingFace](/microsoftsystem64-binary-payload-analysis)\n\nDeep technical analysis of MicrosoftSystem64, an 81 MB Node.js SEA binary deployed via malicious npm packages. This RAT steals browser credentials, 80+ crypto wallet extensions, Telegram sessions,...\n\n[Axios Typosquats Deliver the Epsilon Stealer](/malicious-faster-axios-npm-epsilon-stealer)\n\nTwo axios typosquats on npm, turbo-axios and faster-axios, form a campaign delivering Epsilon Stealer through a four-stage chain. The Electron infostealer grabs browser credentials, crypto wallets,...\n\n[183 npm Packages Target Cloud and Finance via oob.moika.tech](/oob-moika-tech-dependency-confusion-campaign)\n\nTwo npm accounts published 164 malicious packages at version 99.99.99 targeting a cloud platform and a financial institution. Both campaigns share identical payload code, the same C2 endpoint, and...\n\n## Ship Code.\n\n## Not Malware.\n\nStart free with open source tools on your machine. Scale to a unified platform for your organization.", "url": "https://wpnews.pro/news/mini-shai-hulud-miasma-the-spreading-blight-hits-redhat-cloud-services-multiple", "canonical_source": "https://safedep.io/redhat-cloud-services-hit-by-mini-shai-hulud-npm-worm", "published_at": "2026-06-01 12:37:00+00:00", "updated_at": "2026-06-04 21:43:38.740979+00:00", "lang": "en", "topics": ["ai-safety", "ai-infrastructure"], "entities": ["Red Hat", "GitHub", "npm", "AWS", "Azure", "GCP", "HashiCorp Vault", "Kubernetes"], "alternates": {"html": "https://wpnews.pro/news/mini-shai-hulud-miasma-the-spreading-blight-hits-redhat-cloud-services-multiple", "markdown": "https://wpnews.pro/news/mini-shai-hulud-miasma-the-spreading-blight-hits-redhat-cloud-services-multiple.md", "text": "https://wpnews.pro/news/mini-shai-hulud-miasma-the-spreading-blight-hits-redhat-cloud-services-multiple.txt", "jsonld": "https://wpnews.pro/news/mini-shai-hulud-miasma-the-spreading-blight-hits-redhat-cloud-services-multiple.jsonld"}}