Chainguard customers safe from Mini Shai-Hulud worm targeting @redhat-cloud-services npm packages with 100K+ weekly downloads

Chainguard customers using Chainguard Libraries for JavaScript and Chainguard Actions are unaffected by today's Mini Shai-Hulud attack targeting the @redhat-cloud-services npm scope. An attacker compromised a Red Hat employee's GitHub account and used the associated GitHub Actions OIDC trusted publisher to ship malicious versions across 90+ packages in the scope. Together, these projects average more than 100,000 weekly downloads.

The worm self-propagates by republishing tampered npm tarballs and injecting malicious GitHub Actions workflows into accessible repositories. As of this writing, attacker-created repositories containing exfiltrated credentials are appearing on GitHub under the description "Miasma: The Spreading Blight,” which has hit 290+ repositories so far.

Organizations that pulled any of the following versions directly from npm should investigate for a possible compromise:

• @redhat-cloud-services/types@3.6.1 (~15,000 downloads/week)

• @redhat-cloud-services/frontend-components-utilities@7.4.1 (~14,000 downloads/week)

• @redhat-cloud-services/frontend-components@7.7.2 (~14,000 downloads/week)

• @redhat-cloud-services/rbac-client@9.0.3 (~14,000 downloads/week)

• @redhat-cloud-services/javascript-clients-shared@2.0.8 (~13,000 downloads/week)

• @redhat-cloud-services/frontend-components-config-utilities@4.11.2 (~9,000 downloads/week)

• @redhat-cloud-services/frontend-components-notifications@6.9.2 (~8,000 downloads/week)

• Plus 24 additional packages across the scope (full list below)

Each malicious package declares a preinstall script in package.json that executes a 4.2 MB obfuscated index.js file the moment npm install runs. This executes before any application code loads and before the engineer has any indication that something is wrong. The payload is buried behind three layers of obfuscation and targets the full credential chain: cloud service provider keys, HashiCorp Vault, GitHub PATs, npm tokens, and approximately 40 CI provider credential patterns, including NPM_TOKEN, GITHUB_TOKEN, CIRCLE_TOKEN, and ANTHROPIC_API_KEY.

In GitHub Actions environments, the payload reads directly from /proc/<pid>/mem to extract secrets from the Runner.Worker process memory — recovering every masked secret in plaintext, bypassing the masking mechanism entirely.

The attacker compromised a Red Hat employee’s credentials to abuse GitHub Actions OIDC trusted publishing to mint valid publish tokens without a static NPM_TOKEN. The same publishing path covers all packages in the scope, meaning a single compromised workflow run could yield tokens for every package. Using harvested npm tokens, the payload is disguised as a security improvement on a new branch to trick maintainers into merging. Before execution, the payload checks for CrowdStrike, SentinelOne, Carbon Black, and StepSecurity Harden-Runner, and suppresses its behavior if endpoint security or CI hardening tooling is detected. Persistence is installed via .claude/settings.json and .vscode/tasks.json, meaning the malware survives package removal and re-executes every time an engineer uses Claude Code or opens VS Code.

This is the latest wave of the Mini Shai-Hulud campaign, which the attacker has self-named "Miasma: The Spreading Blight." The campaign shares techniques with the Shai-Hulud worm that compromised Trust Wallet in late 2025, the CanisterWorm in March 2026, the SAP Cloud Application Programming Model attack in April, and the AntV Wave 5 attack from May. In this wave, the attacker compromised RedHat (a legitimate vendor namespace) and abused OIDC trusted publishing. Package reputation and provenance signatures provided no protection.

Why Chainguard customers were protected

Chainguard Libraries for JavaScript never built or served any of the malicious versions because of our policy not to build packages with install-time scripts. The Chainguard Factory does not execute arbitrary lifecycle hooks from upstream packages. When a package declares a preinstall, postinstall, or prepare hook, the build is terminated before any of the package's code runs. This is the same architectural protection that kept Chainguard customers safe during every wave of Shai-Hulud, CanisterWorm, the SAP compromise, and the AntV attack. The malicious versions were also never served via the upstream fallback, which is protected by a cooldown period.

Chainguard customers using Chainguard Actions are also protected. Chainguard Actions hardens and re-publishes upstream actions, with each hardened action pinning its internal uses: and container image references to immutable SHAs. The injected codeql.yml workflow has no impact on customers running hardened actions.

What to do if you're not a Chainguard customer

If you installed any of the affected package versions, treat your environment as compromised. Before rotating credentials, check for persistence artifacts: .claude/settings.json, .vscode/tasks.json, and /tmp/kitty-* daemon paths on affected systems.

Once persistence is cleared, rotate all credentials reachable from the compromised environment: AWS keys, npm tokens, GitHub PATs, HashiCorp Vault tokens, Kubernetes service account tokens, and SSH keys. Audit your GitHub account for unexpected public repositories with the description "Miasma: The Spreading Blight." Review .github/workflows/ for unexpected commits, especially any PRs adding codeql.yml on branch chore/add-codeql-static-analysis.

Pin all @redhat-cloud-services/* packages to versions published before June 1, 2026, and verify tarballs against known-good SHA256 hashes. Given that the worm tampers with tarballs in transit, lockfile presence alone is insufficient.

To ensure you're protected from the inevitable next attack, get started with Chainguard Libraries for JavaScript for free. If you’d like to learn more, reach out.