TL;DR: On June 1, 2026, security researchers disclosed Miasma: The Spreading Blight, a TeamPCP supply chain campaign that compromised 32+ packages under the official @redhat-cloud-services npm scope and the underlying RedHatInsights GitHub repositories. The poisoned releases run a preinstall script that harvests GitHub Actions secrets, AWS/GCP/Azure tokens, Kubernetes credentials, HashiCorp Vault tokens, and npm and CircleCI tokens, then attempts to self-propagate. Red Hat confirmed no Red Hat enterprise products shipped compromised, but the npm scope sees roughly 80,000 weekly downloads, so the blast radius reaches every downstream developer and SMB whose vendors build with these packages.
Key takeaway: "We do not use Red Hat" is not a safe answer. If any of your software vendors, web developers, M&A targets, or marketing automation partners pulls from the
@redhat-cloud-servicesnpm scope into their CI/CD pipeline, their compromised secrets become your data-loss event.
Worried about npm exposure inside your vendor stack? Preferred Data Corporation runs vendor software-supply-chain reviews and CI/CD hardening sprints for NC small businesses. Call (336) 886-3282 or request a vendor risk review.
What is the Miasma supply chain attack?
Miasma is the June 1, 2026 supply chain compromise of more than 32 official packages under the @redhat-cloud-services npm scope, attributed to the TeamPCP threat group. Per Wiz Research's June 1 disclosure, StepSecurity's analysis, and Red Hat's RHSB-2026-006 customer advisory, the attackers compromised a Red Hat employee GitHub account and injected malicious GitHub Actions workflows into three RedHatInsights repositories: frontend-components, javascript-clients, and platform-frontend-ai-toolkit.
Miasma is a new variant of the Mini Shai-Hulud worm previously documented by Microsoft Threat Intelligence and is the same TeamPCP threat actor behind the May 2026 TanStack and AntV npm waves. The technical pattern is the same: a preinstall script in the package runs an obfuscated payload the moment npm install is executed, before any application code runs.
What does the malware actually steal?
A multi-stage credential harvester that sweeps the developer machine and CI/CD runner for high-value secrets. Per StepSecurity's June 1 writeup and Snyk's Miasma analysis, the payload targets:
- GitHub Actions secrets and personal access tokens.
- AWS, GCP, and Azure cloud credentials (access keys, service-principal secrets).
- Kubernetes config files and service-account tokens.
- HashiCorp Vault tokens.
- npm registry tokens (for self-propagation to packages the victim can publish).
- CircleCI tokens.
- Common developer secret-store paths.
The payload is purpose-built to evade detection: it ships obfuscated, runs only inside preinstall, and excludes itself from logs where possible.
Why does this hit NC small businesses if we do not use Red Hat?
Because npm supply chain attacks are transitive. The @redhat-cloud-services packages are pulled into:
| Where they show up | Why it matters for an NC SMB |
|---|---|
| Custom web apps built by external developers | Vendor's stolen AWS keys can rotate into your cloud account |
| SaaS vendors building dashboards on Red Hat console components | Vendor breach can expose your tenant data |
| M&A targets with internal development teams | Pre-close compromise becomes post-close liability |
| Marketing-automation and CRM integration partners | Stolen GitHub/CircleCI tokens enable pipeline poisoning of your apps |
| Manufacturing ERP integrations using OpenShift consoles | OT-adjacent credentials are a high-value secondary target |
In other words: you do not need to install npm packages yourself to be downstream of an npm compromise.
What do we need to do this week?
Three actions, sequenced by urgency. Most NC small businesses can close this in 7-10 days with a managed partner driving the work.
- Vendor outreach (first 48 hours). Contact every software vendor, web developer, and external integrator. Ask whether they pull from
@redhat-cloud-services(or any of the TanStack, AntV, or typosquat packages from the May 2026 Mini Shai-Hulud waves), what versions, when their lastnpm installoccurred, and whether they have rotated CI/CD secrets in the last 72 hours. - Credential rotation (next 5 days). Rotate any cloud, source-control, and secret-manager credentials that a compromised vendor could plausibly hold. Treat shared credentials as compromised by default. Red Hat's RHSB-2026-006 and Sonatype's writeup document the specific scopes the malware targets.
- Hunt and harden (next 5 days). Pull GitHub Actions audit logs, AWS/Azure CloudTrail/Activity logs, and Vault audit logs for the last 30 days. Look for anomalous secret reads, new IAM users, and suspicious
npm publishevents. Lock downpreinstallpermissions in CI/CD and pin every dependency by integrity hash.
Quotable definition: An npm preinstall attack is a software supply chain compromise where the malicious code runs during package installation, before any application code executes, which means a developer or CI/CD runner is exposed the moment
npm installcompletes regardless of whether the application is ever launched.
How do we harden CI/CD so the next Miasma does not land?
Six controls, executed once, monitored continuously. This is the same baseline an SMB underwriter or M&A buyer expects to see.
- Dependency pinning by integrity hash. Use
npm ciwith a lockedpackage-lock.jsonand--ignore-scriptswhere possible. Never auto-update production builds. - Allowlisted CI/CD runners. Use ephemeral, scoped runners with no long-lived cloud credentials.
- Short-lived secrets only. OIDC federation for AWS/Azure/GCP, time-bounded GitHub PATs, and Vault leases under 24 hours.
- SBOMs and dependency scanning. Track every third-party package in production with a software bill of materials.
- Build-time secret detection. Pre-commit and pre-publish scanners that catch leaked tokens before they enter a registry.
- Vendor cybersecurity questionnaire. Standardize a one-page questionnaire that every software vendor signs annually, covering CI/CD hardening, dependency management, and incident notification SLA.
Want a vendor-risk and CI/CD hardening sprint for your business? Call (336) 886-3282 or contact Preferred Data Corporation.
Why does a local NC partner help with a global npm event?
Because the response is mostly relationship work, not Node.js work. The questions that move the needle for an NC SMB are:
- Which of my 14 vendors pulls from the affected scopes?
- Did any of my cloud accounts have a credential rotation event in the last 72 hours that I cannot explain?
- Does my cyber insurance carrier expect documented vendor outreach after a named supply chain incident?
- Do I have evidence I can show an underwriter or M&A buyer?
A local managed partner that already knows your vendor map, your cloud topology, and your insurance posture closes those questions faster than a remote help desk reading a runbook. Preferred Data Corporation has supported NC small businesses for over 37 years, with on-site coverage within 200 miles of High Point and a controlled, in-house build pipeline for the PDC Software Suite that keeps third-party dependency exposure tightly scoped.
PDC supports this work through managed cybersecurity, managed IT services, and M&A IT advisory.
Frequently Asked Questions
Were any Red Hat enterprise products shipped with the compromised npm packages?
No. Per Red Hat's RHSB-2026-006 advisory, version pinning by Red Hat engineering prevented contamination of Red Hat enterprise products. The exposure is downstream, in third-party applications and SaaS products that pull from the @redhat-cloud-services npm scope.
How many weekly downloads were affected?
The affected packages average roughly 80,000 downloads per week combined, per Wiz Research's June 1 disclosure. That number understates real exposure because each install fans out to every CI/CD job and every downstream application that builds with those packages.
Is this the same threat group as the May 2026 Mini Shai-Hulud waves?
Yes. Wiz Research and Snyk attribute Miasma to TeamPCP, the same threat actor behind the TanStack and AntV compromises and the May 28 typosquat wave. The malware family is Mini Shai-Hulud, a self-propagating credential-stealing worm.
What if my vendor will not respond about their npm exposure?
That is a vendor-risk finding in its own right. A vendor without a 72-hour incident response window after a named npm compromise should be flagged for cyber insurance audit purposes and, where the relationship is critical, replaced. NC SMBs should standardize a vendor cybersecurity questionnaire and require signed annual attestations.
Should we rotate cloud credentials even if we have not confirmed compromise?
Yes, for any credential a compromised vendor could plausibly hold. The cost of rotation is hours; the cost of an unreported AWS/Azure breach is six figures. The 2026 default posture for NC SMBs after a named supply chain event is "rotate first, ask questions second."
Related Resources
- Mini Shai-Hulud npm Supply Chain Attacks - May 2026 waves and SMB defense
- Managed Cybersecurity Services for NC Businesses - 24/7 monitoring and CI/CD audit support
- Managed IT Services for NC Businesses - Vendor coordination and credential rotation
- M&A IT Advisory - Software supply chain in due diligence
- Custom Software Development - Controlled, in-house build pipelines
- Contact Preferred Data Corporation - Schedule a vendor risk review