ctipilot.ch

Miasma

campaign · campaign:miasma-redhat-npm-supply-chain

Worm backdooring 32 @redhat-cloud-services npm packages; a TeamPCP / Mini Shai-Hulud variant.

Coverage timeline
14
first 2026-06-01 → last 2026-07-16
Peak priority
high
7 high · 7 notable
Sources cited
42
27 hosts
Sections touched
8
active-threats, research, updates
Co-occurring entities
6
see Related entities below
ATT&CK techniques
9
pinned v19.1 · see below
2026-06-0114 appearances2026-07-16

Hunting pivots

Affected products
@asyncapi/generator@asyncapi/generator-components@asyncapi/generator-helpers@asyncapi/specs

ATT&CK techniques

9 techniques observed across 4 entries — derived from entry metadata and body evidence, never asserted without a published entry behind it · pinned to MITRE ATT&CK v19.1 · compare on the matrix · Navigator layer (JSON)

Initial Access TA0001

T1195.002Supply Chain Compromise: Compromise Software Supply Chain×3

Adversaries may manipulate application software prior to receipt by a final consumer for the purpose of data or system compromise. Supply chain compromise of software can take place in a number of ways, including manipulation of the application source code, manipulation of the update/distribution mechanism for that software, or replacing compiled releases with a modified version.

Evidence: 2026-07-16/asyncapi-npm-compromise-valid-provenance-attestations-delta · 2026-07-14/asyncapi-npm-supply-chain-compromise-github-actions · 2026-06-01/ironworm-miasma-ai-coding-agent-injection-two-supply-chain-w · ATT&CK page ↗

Execution TA0002

T1059.007Command and Scripting Interpreter: JavaScript×3

Adversaries may abuse various implementations of JavaScript for execution. JavaScript (JS) is a platform-independent scripting language (compiled just-in-time at runtime) commonly associated with scripts in webpages, though JS can be executed in runtime environments outside the browser.

Evidence: 2026-07-16/asyncapi-npm-compromise-valid-provenance-attestations-delta · 2026-07-14/asyncapi-npm-supply-chain-compromise-github-actions · 2026-06-10/shai-hulud-miasma-supply-chain-worm-jumps-to-pypi-as-hades-3 · ATT&CK page ↗

Persistence TA0003

T1543.002Create or Modify System Process: Systemd Service×1

Adversaries may create or modify systemd services to repeatedly execute malicious payloads as part of persistence. Systemd is a system and service manager commonly used for managing background daemon processes (also known as services) and other system resources. Systemd is the default initialization (init) system on many Linux distributions replacing legacy init systems, including SysVinit and Upstart, while remaining backwards compatible.

Evidence: 2026-07-14/asyncapi-npm-supply-chain-compromise-github-actions · ATT&CK page ↗

T1547.013Boot or Logon Autostart Execution: XDG Autostart Entries×1

Adversaries may add or modify XDG Autostart Entries to execute malicious programs or commands when a user’s desktop environment is loaded at login. XDG Autostart entries are available for any XDG-compliant Linux system. XDG Autostart entries use Desktop Entry files (`.desktop`) to configure the user’s desktop environment upon user login. These configuration files determine what applications launch upon user login, define associated applications to open specific file types, and define applications used to open removable media.

Evidence: 2026-06-10/shai-hulud-miasma-supply-chain-worm-jumps-to-pypi-as-hades-3 · ATT&CK page ↗

Privilege Escalation TA0004

T1543.002Create or Modify System Process: Systemd Service×1

Adversaries may create or modify systemd services to repeatedly execute malicious payloads as part of persistence. Systemd is a system and service manager commonly used for managing background daemon processes (also known as services) and other system resources. Systemd is the default initialization (init) system on many Linux distributions replacing legacy init systems, including SysVinit and Upstart, while remaining backwards compatible.

Evidence: 2026-07-14/asyncapi-npm-supply-chain-compromise-github-actions · ATT&CK page ↗

T1547.013Boot or Logon Autostart Execution: XDG Autostart Entries×1

Adversaries may add or modify XDG Autostart Entries to execute malicious programs or commands when a user’s desktop environment is loaded at login. XDG Autostart entries are available for any XDG-compliant Linux system. XDG Autostart entries use Desktop Entry files (`.desktop`) to configure the user’s desktop environment upon user login. These configuration files determine what applications launch upon user login, define associated applications to open specific file types, and define applications used to open removable media.

Evidence: 2026-06-10/shai-hulud-miasma-supply-chain-worm-jumps-to-pypi-as-hades-3 · ATT&CK page ↗

Stealth TA0005

T1027Obfuscated Files or Information×2

Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.

Evidence: 2026-07-16/asyncapi-npm-compromise-valid-provenance-attestations-delta · 2026-07-14/asyncapi-npm-supply-chain-compromise-github-actions · ATT&CK page ↗

Credential Access TA0006

T1528Steal Application Access Token×1

Adversaries can steal application access tokens as a means of acquiring credentials to access remote systems and resources.

Evidence: 2026-07-14/asyncapi-npm-supply-chain-compromise-github-actions · ATT&CK page ↗

T1555Credentials from Password Stores×1

Adversaries may search for common password storage locations to obtain user credentials. Passwords are stored in several places on a system, depending on the operating system or application holding the credentials. There are also specific applications and services that store passwords to make them easier for users to manage and maintain, such as password managers and cloud secrets vaults. Once credentials are obtained, they can be used to perform lateral movement and access restricted information.

Evidence: 2026-06-10/shai-hulud-miasma-supply-chain-worm-jumps-to-pypi-as-hades-3 · ATT&CK page ↗

Command and Control TA0011

T1071.001Application Layer Protocol: Web Protocols×1

Adversaries may communicate using application layer protocols associated with web traffic to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.

Evidence: 2026-07-14/asyncapi-npm-supply-chain-compromise-github-actions · ATT&CK page ↗

T1105Ingress Tool Transfer×2

Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp. Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer).

Evidence: 2026-07-16/asyncapi-npm-compromise-valid-provenance-attestations-delta · 2026-07-14/asyncapi-npm-supply-chain-compromise-github-actions · ATT&CK page ↗

Story timeline

  1. 2026-07-16AsyncAPI npm compromise — the trojanized packages shipped valid npm/OIDC provenance attestations (Microsoft forensic timeline)
    updatesAsyncAPI npm compromise: Microsoft finds the malicious versions carried valid npm/OIDC provenance attestations, with an import-time (not install-hook) trigger
  2. 2026-07-14AsyncAPI npm packages backdoored via a GitHub Actions pull_request_target token theft, delivering a multi-stage IPFS implant (M-RED-TEAM)
    active-threatsAttacker abuses an AsyncAPI GitHub Actions pwn-request to steal a publish token and backdoor five @asyncapi npm versions with a multi-stage implant
  3. 2026-06-29Research: the trust chain, not the perimeter, was the week's attack surface
    weekly-research
  4. 2026-06-29npm supply-chain worms — a sustained wave across the week
    weekly-multi-day
  5. 2026-06-29Looking ahead — 2026-W26
    weekly-looking-ahead
  6. 2026-06-27Miasma / "Mini Shai-Hulud" npm worm runs a new wave across LeoPlatform/RStreams packages
    updates
  7. 2026-06-14Shai-Hulud / Miasma supply-chain worm lineage — open-sourced, ported to PyPI, and a 1,500-package AUR wave
    weekly-multi-day
  8. 2026-06-12npm v12 will disable install scripts by default — audit CI/CD pipelines before July
    research
  9. 2026-06-10Shai-Hulud/Miasma supply-chain worm jumps to PyPI as "Hades" — 37 malicious wheels across 19 packages
    updates
  10. 2026-06-09TeamPCP open-sources its Mini Shai-Hulud framework, spawning a new "Phantom Gyp" derivative
    active-threats
  11. 2026-06-06Miasma supply-chain worm reaches 73 Microsoft GitHub repositories, adds Azure credential collectors
    updates
  12. 2026-06-02"Miasma" worm backdoors 32 Red Hat Cloud Services npm packages via OIDC trusted-publishing abuse
    active-threats
  13. 2026-06-01Technology / software supply chain — four concurrent worm/supply-chain threats in one week
    weekly-sector-patterns
  14. 2026-06-01IronWorm + Miasma AI coding-agent injection: two supply-chain worms target cloud credentials and developer toolchains simultaneously
    weekly-top-stories

Relationships explore in graph

Typed, source-stated connections from the entity registry — each edge cites the entry whose reporting establishes it.

attributed to

overlaps with

Where this entity is cited

  • updates4
  • active-threats3
  • weekly-multi-day2
  • weekly-top-stories1
  • weekly-sector-patterns1
  • research1
  • weekly-looking-ahead1
  • weekly-research1

Source distribution

  • bleepingcomputer.com5 (12%)
  • thehackernews.com5 (12%)
  • research.jfrog.com3 (7%)
  • socket.dev3 (7%)
  • microsoft.com2 (5%)
  • unit42.paloaltonetworks.com2 (5%)
  • wiz.io2 (5%)
  • advisories.ncsc.nl1 (2%)
  • other19 (45%)

Co-occurring entities

Derived — referenced by the same focused operational entries (weekly summaries and report roundups don't count); ×N counts the shared entries.

All cited sources (42)

Entries about Miasma (14)

2026-07-16 · view entry permalink →

NOTABLEupdateNATOB1

AsyncAPI npm compromise — the trojanized packages shipped valid npm/OIDC provenance attestations (Microsoft forensic timeline)

UPDATE · originally covered AsyncAPI npm packages backdoored via a GitHub Actions pull_request_target token theft, delivering a multi-stage IPFS implant (M-RED-TEAM) (2026-07-14)

Microsoft Threat Intelligence published a forensic timeline of the AsyncAPI npm compromise that adds a detail with broad supply-chain-defence implications (Microsoft Threat Intelligence, 2026-07-15). Once the attacker held push access as the AsyncAPI service account (via the pull_request_target misconfiguration covered in the original entry), no npm-token theft was needed: a direct push to a release-triggering branch ran the project's own legitimate release-with-changesets workflow, which published the packages via npm trusted publishing over GitHub OIDC. As a result the five trojanized versions carry cryptographically valid provenance attestations that correctly identify the real repository, commit and workflow — even though the triggering commit was unauthorized (Microsoft Threat Intelligence, 2026-07-15).

Two further deltas: the payload triggers at import time (embedded in one file per package — index.js for the specs package, validator.js/utils.js/ErrorHandling.js for the generator family) and unwraps an IPFS-fetched bundle through three static-key crypto layers to an eval(), so npm install --ignore-scripts provides no protection; and Microsoft recovered all three self-identifying strings — M-RED-TEAM v6.4, miasma-train-p1 and miasma-test-org — from one binary, resolving the identifier ambiguity across the original reporting. Unit 42 independently corroborates the timeline and identifies the payload as a descendant of the same Miasma RAT deployed in the June 2026 Red Hat supply-chain operation (Unit 42, 2026-07-15).

All five malicious versions were published through npm trusted publishing using GitHub OIDC and carried valid provenance attestations. The attestations accurately identified the legitimate repositories, commits, and workflows that created the packages, even though the triggering commits were unauthorized.

Do not rely on npm install –ignore-scripts as a mitigation; this campaign executes when the module is imported, not through a lifecycle hook.

Microsoft Threat Intelligence 2026-07-15
incident16 Jul 04:44Zmulti-sourceOpen finding ↗

2026-07-14 · view entry permalink →

HIGHNATOB1

AsyncAPI npm packages backdoored via a GitHub Actions pull_request_target token theft, delivering a multi-stage IPFS implant (M-RED-TEAM)

On 2026-07-14 an attacker compromised the asyncapi/generator GitHub repository by abusing a pull_request_target workflow that checked out the pull request's own code while still running "in the context of the base repository with full access to secrets" (Wiz, 2026-07-14). The attacker opened 37 pull requests — almost all a decoy adding a fake charity-donation page — while a single one (PR #2155, 05:08 UTC) carried obfuscated JavaScript that scanned the Actions runner environment for secrets and exfiltrated them to a paste-site dead drop, capturing the token of asyncapi-bot, a service account with organization-wide access; by 06:58 UTC the attacker pushed a malicious commit to the next branch and from 07:10 UTC the release workflow published five trojanized versions across four packages — @asyncapi/generator 3.3.1, @asyncapi/generator-helpers 1.1.1, @asyncapi/generator-components 0.7.1, and @asyncapi/specs 6.11.2 and 6.11.2-alpha.1 — which "combined, these packages see over three million downloads a week" (Wiz, 2026-07-14). A contributor had opened a fix for the vulnerable workflow on 2026-05-17; it was still unmerged 58 days later when the attack landed.

The injected code executes on import/require, not at install time: it spawns a detached Node child process that downloads a later stage from IPFS into a per-user application-support directory, then runs an encrypted multi-stage bundle whose runtime "explicitly self-identifies as 'M-RED-TEAM v6.4' in code comments" (Wiz, 2026-07-14). It establishes persistence via a systemd user service on Linux (with platform-specific equivalents on macOS and Windows) and beacons over multiple command-and-control channels — HTTP, Nostr relays, Ethereum smart contracts, and a libp2p mesh — accepting remote commands for file operations, directory listing and data exfiltration; its obfuscation uses javascript-obfuscator with a custom base64 alphabet matching prior incidents. The bundle carries credential-theft capabilities targeting saved browser passwords and cookies, SSH keys, npm and GitHub tokens, AWS credentials, the macOS Keychain and crypto wallets. Wiz notes technical fingerprints overlapping the Miasma framework (a miasma-branded persistence service and relay tags) and a dead-drop naming pattern matching the separately-tracked prt-scan pull-request-abuse campaign, but states that "beyond the references and initial obfuscation method the payload contains minimal resemblance to previous Miasma and Shai-Hulud payloads" and that "at this time, we are not making any definitive attribution." SafeDep, tracking the same incident, reports the payload self-identifying as miasma-train-p1 rather than Wiz's M-RED-TEAM v6.4 and frames the Miasma link more directly — "this is either a private, parallel build by the same operators or a separate group that adopted the Miasma brand after the source was published" (SafeDep, 2026-07-14); a team hunting code-comment strings should check for both identifiers.

Defender takeaway. This is a recurring 2026 pattern of pull_request_target "pwn request" abuse feeding npm-ecosystem backdoors, and the load-bearing control gap is a CI/CD one: any workflow that triggers on pull_request_target and then checks out untrusted PR code runs attacker code with access to repository secrets. Audit your own Actions workflows for that pattern, and — because the payload runs on import rather than install — a --ignore-scripts install policy does not neutralise it; only pinning to known-good versions and rebuilding from a clean state does.

Triage: a legitimate require() of AsyncAPI tooling performs no runtime network activity; the signal is a detached Node child process spawned from an npm/node parent at import time that reaches out to an IPFS gateway or a peer-to-peer mesh and then creates a user-level persistence service — process-lineage telemetry (a script interpreter spawning a hidden detached child with outbound egress) plus a new systemd/user-service artifact created outside a package-manager transaction is the discriminator, since benign build tooling produces neither.

On July 14, 2026, an attacker opened 37 pull requests to the AsyncAPI generator repository. Almost all attempted to add a fake charity donation page.

The payload executes on import/require, not install.

The payload includes credential theft capabilities targeting browser saved passwords and cookies (Chrome, Brave, Firefox, Edge), SSH keys, npm and GitHub tokens, AWS credentials, macOS Keychain, and cryptocurrency wallets.

Wiz 2026-07-14

This is either a private, parallel build by the same operators or a separate group that adopted the Miasma brand after the source was published.

SafeDep 2026-07-14
incident14 Jul 12:38Zmulti-sourceOpen finding ↗
Sources: Wiz · SafeDep

2026-06-29 · view entry permalink →

NOTABLE

Looking ahead — 2026-W26

A focused, justified list — items already in motion, not predictions.

  • ShinyHunters PeopleSoft notifications are still landing — expect more named European education and public-finance victims. GTIG has notified ~100 organisations (68% higher education) and NAIC is the fresh high-profile case; patch internet-reachable PeopleSoft and hunt /PSEMHUB/ and /PSIGW/HttpListeningConnector. (Google GTIG; daily 06-28)
  • FortiBleed is not a one-and-done credential reset — full AD domain takeover is now confirmed at a NATO-aligned contractor. Finish session termination and credential rotation, then hunt for post-compromise AD persistence (Kerberos abuse, DCSync, DFS-backup exfiltration) rather than assuming the reset closed it. (CISA; daily 06-24)
  • The Klue/Icarus extortion surface is multiplying after the "resolution" — a second group is now extorting ~195 listed organisations. Any firm with a Klue/Salesforce integration should expect renewed extortion contact regardless of Icarus's stated data deletion; complete OAuth-grant revocation and CRM-egress monitoring. (SecurityWeek; daily 06-27)
  • CRA Single Reporting Platform go-live is ~75 days out (11 September); ENISA's dry-run schedule is due now. In-scope manufacturers — including Swiss exporters to the EU — should register and wire the 24/72-hour reporting flow into their PSIRT process before the obligation binds. (ENISA SRP)
  • EDPB Article 33 harmonised breach-notification template consultation closes 5 August. Still open with no in-window change; multi-jurisdiction breach-response owners have a closing window to comment before the EDPB sets a mandatory-adoption timeline. (EDPB)
  • npm v12 will disable install scripts by default — the week's Miasma worm wave is the reminder to audit CI now. Miasma's postinstall-and-SessionStart-hook propagation is exactly the kill chain --ignore-scripts / npm v12 defaults neutralise; inventory pipelines and AI-coding-tool hook configs that rely on build scripts. (Socket; daily 06-27)
  • libssh2 CVE-2026-55200 has a public PoC and an upstream fix commit, but tagged releases lag across the binding ecosystem — track the embedded-dependency fix pipeline. Inventory appliances, tooling and language bindings that ship libssh2 and chase each vendor's release rather than assuming a single library bump closes it. (NCSC-NL; daily 06-28)
  • Scattered Spider TfL sentencing is set for 16 July. First UK court outcome on the campaign; the vishing/social-engineering TTP precedent is directly relevant to European transport and public-sector identity-desk hardening. (UK NCA; daily 06-23)
outlook29 Jun 00:21Zmulti-sourceOpen finding ↗

Earlier coverage (11)

2026-06-29HIGHResearch: the trust chain, not the perimeter, was the week's attack surfaceThe week's research converges on the trust chain, not the perimeter — a "Developer Credential Economy" feeding npm worms into AI-coding-agent session hooks, OAuth-grant abuse, and a Browser-in-the-Middle PhaaS (Bluekit) that defeats Device Bound Session Credentials. (daily 06-28, Tenable)2026-06-29NOTABLEnpm supply-chain worms — a sustained wave across the weekThree separate npm-ecosystem supply-chain events were in play across the window, and the pattern is the story. Microsoft attributed the Mastra scope compromise (140+ @mastra packages, postinstall dropper) to North Korea's Sapphire Sleet (covered in the daily on 06-21).2026-06-27HIGHupdateMiasma / "Mini Shai-Hulud" npm worm runs a new wave across LeoPlatform/RStreams packages"Miasma/Mini Shai-Hulud" npm worm runs a new wave across 23+ LeoPlatform/RStreams packages, again using binding.gyp install-time execution to harvest CI and cloud secrets (Socket, 2026-06-25).2026-06-14NOTABLEShai-Hulud / Miasma supply-chain worm lineage — open-sourced, ported to PyPI, and a 1,500-package AUR waveThe supply-chain-worm family the W23 weekly consolidated under the Miasma/IronWorm banner spent this week proliferating across ecosystems and operators. On 9 June a SANS ISC handler tracked TeamPCP open-sourcing its Mini Shai-Hulud framework, immediately spawning a "Phantom Gyp" derivative (SANS ISC; daily 06-09).2026-06-12NOTABLEnpm v12 will disable install scripts by default — audit CI/CD pipelines before JulyGitHub announced that npm v12 (expected July 2026) disables dependency lifecycle scripts (preinstall/install/postinstall, including implicit node-gyp builds) by default, requires npm approve-scripts for explicit opt-in, and blocks Git/remote-URL dependencies without --allow-git/--allow-remote (GitHub …2026-06-10NOTABLEupdateShai-Hulud/Miasma supply-chain worm jumps to PyPI as "Hades" — 37 malicious wheels across 19 packagesUPDATE (originally covered 2026-06-06): The Miasma/Mini-Shai-Hulud supply-chain lineage previously tracked across npm and GitHub has opened a PyPI front dubbed "Hades": Socket and others identified 37 malicious wheel artifacts across 19 packages abusing Python's .pth site-module startup mechanism to auto-execute …2026-06-09HIGHTeamPCP open-sources its Mini Shai-Hulud framework, spawning a new "Phantom Gyp" derivativeTeamPCP open-sources its Mini Shai-Hulud supply-chain framework on GitHub, spawning a new "Phantom Gyp" derivative and underscoring that valid SLSA provenance does not survive a subverted build environment (SANS ISC, 2026-06-08).2026-06-06NOTABLEupdateMiasma supply-chain worm reaches 73 Microsoft GitHub repositories, adds Azure credential collectorsUPDATE (originally covered 2026-06-02): The Miasma worm — the TeamPCP-spawned descendant of the Mini Shai-Hulud lineage first covered against the Red Hat @redhat-cloud-services npm namespace — recompromised the durabletask package and propagated into the Microsoft GitHub estate.2026-06-02HIGH"Miasma" worm backdoors 32 Red Hat Cloud Services npm packages via OIDC trusted-publishing abuse"Miasma" supply-chain worm compromised 32 @redhat-cloud-services npm packages via a hijacked maintainer GitHub account and OIDC trusted-publishing abuse, adding new GCP and Azure cloud-identity collectors (Wiz, 2026-06-01).2026-06-01HIGHTechnology / software supply chain — four concurrent worm/supply-chain threats in one weekIronWorm: first eBPF-rootkit npm worm sweeps cloud/AI credentials from ~36 packages via Tor C2. Kernel-mode rootkit hides the implant from procfs and most EDR agents — user-space process hunting is insufficient. (daily, JFrog)2026-06-01HIGHexploitedIronWorm + Miasma AI coding-agent injection: two supply-chain worms target cloud credentials and developer toolchains simultaneouslyMiasma worm pivots to AI coding-agent config injection — 73 Microsoft GitHub repositories disabled in 105 seconds. Malicious commits wire execution to Claude Code / Cursor / Gemini CLI / VS Code workspace-config files, detonating on repo open rather than npm install; azure-functions-action CI/CD globally disrupted. (daily, StepSecurity)