{"name":"MIASMA_REDHAT_2026 - campaign","description":"# Executive Threat Brief — MIASMA_REDHAT_2026\n\n## Campaign Snapshot\n\nOn June 1, 2026, a threat actor compromised a Red Hat employee's GitHub account and used it to publish malware into 32 official packages under the `@redhat-cloud-services` npm scope. The malicious releases — 96 versions in total — ran automatically on every `npm install` before any application code executed, sweeping cloud credentials, SSH keys, and CI/CD secrets from every affected host. The payload brands itself \"Miasma: The Spreading Blight\" and is a direct derivative of the Mini Shai-Hulud tooling that TeamPCP open-sourced in May 2026, meaning any operator can now deploy structurally identical attacks against new targets.\n\nEvery malicious version was published using legitimate, short-lived OIDC credentials from GitHub's Trusted Publishing mechanism. No long-lived tokens were stolen to enable the attack. Conventional scanner workflows that depend on CVE assignment detected nothing — no CVE, GHSA, or OSV record exists for any affected package version. The 32 packages collectively accumulate 116,991 weekly downloads, covering Red Hat's core Hybrid Cloud Console frontend library, all Insights-platform API clients, and three new MCP (Model Context Protocol) packages. Any CI pipeline or developer workstation that ran `npm install` against the affected scope on or after June 1, 2026 at 10:54 UTC should be treated as fully compromised.\n\nThe payload is self-propagating. Stolen npm tokens are used with `bypass_2fa: true` to republish backdoored versions of other packages the victim account can publish, making each compromised host a potential vector for secondary downstream infections with no further attacker involvement.\n\n---\n\n## What Is Affected\n\n### Software\n\n| Software | Vulnerable Version | Safe Version | Action |\n|----------|-------------------|--------------|--------|\n| N/A (campaign is package-level) | N/A | N/A | Focus on packages, CI runners, developer endpoints |\n\n### Containers\n\n| Image | Vulnerable Tag | Safe Tag | Registry | Action |\n|-------|----------------|----------|----------|--------|\n| Any Red Hat tooling container using @redhat-cloud-services npm dependencies | Any tag built after June 1, 2026 10:54 UTC | Pre-June 1 build | All | Rebuild from clean environment; rotate secrets baked into build cache |\n\n### Libraries / Packages — Full IOC Set (96 compromised versions across 32 packages)\n\n| Package | Ecosystem | Compromised Versions | Last Known-Clean | Action |\n|---------|-----------|---------------------|-----------------|--------|\n| @redhat-cloud-services/chrome | npm | 2.3.1, 2.3.2, 2.3.4 | 2.3.0 | Remove; rotate secrets; audit persistence |\n| @redhat-cloud-services/compliance-client | npm | 4.0.3, 4.0.4, 4.0.6 | 4.0.2 | Remove; rotate secrets |\n| @redhat-cloud-services/config-manager-client | npm | 5.0.4, 5.0.5, 5.0.7 | 5.0.3 | Remove; rotate secrets |\n| @redhat-cloud-services/entitlements-client | npm | 4.0.11, 4.0.12, 4.0.14 | 4.0.10 | Remove; rotate secrets |\n| @redhat-cloud-services/eslint-config-redhat-cloud-services | npm | 3.2.1, 3.2.2, 3.2.4 | 3.2.0 | Remove; rotate secrets |\n| @redhat-cloud-services/frontend-components | npm | 7.7.2, 7.7.3, 7.7.5 | 7.7.1 | Remove; rotate secrets |\n| @redhat-cloud-services/frontend-components-advisor-components | npm | 3.8.2, 3.8.4, 3.8.6 | 3.8.1 | Remove; rotate secrets |\n| @redhat-cloud-services/frontend-components-config | npm | 6.11.3, 6.11.4, 6.11.6 | 6.11.2 | Remove; rotate secrets |\n| @redhat-cloud-services/frontend-components-config-utilities | npm | 4.11.2, 4.11.3, 4.11.5 | 4.11.1 | Remove; rotate secrets |\n| @redhat-cloud-services/frontend-components-notifications | npm | 6.9.2, 6.9.3, 6.9.5 | 6.9.1 | Remove; rotate secrets |\n| @redhat-cloud-services/frontend-components-remediations | npm | 4.9.2, 4.9.3, 4.9.5 | 4.9.1 | Remove; rotate secrets |\n| @redhat-cloud-services/frontend-components-testing | npm | 1.2.1, 1.2.2, 1.2.4 | 1.2.0 | Remove; rotate secrets |\n| @redhat-cloud-services/frontend-components-translations | npm | 4.4.1, 4.4.2, 4.4.4 | 4.4.0 | Remove; rotate secrets |\n| @redhat-cloud-services/frontend-components-utilities | npm | 7.4.1, 7.4.2, 7.4.4 | 7.4.0 | Remove; rotate secrets |\n| @redhat-cloud-services/hcc-feo-mcp | npm | 0.3.1, 0.3.2, 0.3.4 | 0.3.0 | Remove; rotate secrets; high-value AI workflow target |\n| @redhat-cloud-services/hcc-kessel-mcp | npm | 0.3.1, 0.3.2, 0.3.4 | 0.3.0 | Remove; rotate secrets; high-value AI workflow target |\n| @redhat-cloud-services/hcc-pf-mcp | npm | 0.6.1, 0.6.2, 0.6.4 | 0.6.0 | Remove; rotate secrets; DGA C2 pattern detected |\n| @redhat-cloud-services/host-inventory-client | npm | 5.0.3, 5.0.4, 5.0.6 | 5.0.2 | Remove; rotate secrets |\n| @redhat-cloud-services/insights-client | npm | 4.0.4, 4.0.5, 4.0.7 | 4.0.3 | Remove; rotate secrets |\n| @redhat-cloud-services/integrations-client | npm | 6.0.4, 6.0.5, 6.0.7 | 6.0.3 | Remove; rotate secrets |\n| @redhat-cloud-services/javascript-clients-shared | npm | 2.0.8, 2.0.9, 2.0.11 | 2.0.7 | Remove; rotate secrets |\n| @redhat-cloud-services/notifications-client | npm | 6.1.4, 6.1.5, 6.1.7 | 6.1.3 | Remove; rotate secrets |\n| @redhat-cloud-services/patch-client | npm | 4.0.4, 4.0.5, 4.0.7 | 4.0.3 | Remove; rotate secrets |\n| @redhat-cloud-services/quickstarts-client | npm | 4.0.11, 4.0.12, 4.0.14 | 4.0.10 | Remove; rotate secrets |\n| @redhat-cloud-services/rbac-client | npm | 9.0.3, 9.0.4, 9.0.6 | 9.0.2 | Remove; rotate secrets |\n| @redhat-cloud-services/remediations-client | npm | 4.0.4, 4.0.5, 4.0.7 | 4.0.3 | Remove; rotate secrets |\n| @redhat-cloud-services/rule-components | npm | 4.7.2, 4.7.3, 4.7.5 | 4.7.1 | Remove; rotate secrets |\n| @redhat-cloud-services/sources-client | npm | 3.0.10, 3.0.11, 3.0.13 | 3.0.9 | Remove; rotate secrets |\n| @redhat-cloud-services/topological-inventory-client | npm | 3.0.10, 3.0.11, 3.0.13 | 3.0.9 | Remove; rotate secrets |\n| @redhat-cloud-services/tsc-transform-imports | npm | 1.2.2, 1.2.4, 1.2.6 | 1.2.1 | Remove; rotate secrets |\n| @redhat-cloud-services/types | npm | 3.6.1, 3.6.2, 3.6.4 | 3.6.0 | Remove; rotate secrets |\n| @redhat-cloud-services/vulnerabilities-client | npm | 2.1.8, 2.1.9, 2.1.11 | 2.1.7 | Remove; rotate secrets |\n\n---\n\n## Business Impact\n\n- **Credential theft from CI/CD environments:** Every CI runner that executed `npm install` against an affected package version had its GitHub tokens, AWS credentials, GCP service account keys, Azure service principal credentials, HashiCorp Vault tokens, Kubernetes service account tokens, and npm publish tokens in scope for exfiltration. The payload extracted masked CI secrets directly from GitHub Actions runner process memory, bypassing log masking entirely.\n- **Developer workstation compromise:** On developer machines, the payload daemonized and continued credential collection after install completed. Persistence was injected into Claude Code's SessionStart hooks (`~/.claude/settings.json`) and VS Code's workspace task runner (`.vscode/tasks.json`). `npm uninstall` does not remove these artifacts.\n- **Self-propagating worm risk:** Stolen npm tokens with `bypass_2fa: true` were used to republish backdoored versions of other packages the victim account could publish. A single compromised developer account could seed infections into entirely separate package namespaces.\n- **AI toolchain targeting:** The three MCP packages (hcc-feo-mcp, hcc-kessel-mcp, hcc-pf-mcp) are specifically invoked in AI assistant workflows with access to code, filesystem, and cloud management APIs. Their deliberate inclusion in the attacker's target list reflects increased attacker focus on AI developer tooling.\n- **Zero-CVE detection gap:** No CVE, GHSA, or OSV record exists for any compromised version. Organizations relying exclusively on CVE-driven scanning had no detection surface during the active exposure window.\n- **OIDC Trusted Publishing abuse:** All malicious releases carried legitimate npm publish provenance, because the attacker used GitHub's OIDC Trusted Publishing mechanism via a compromised account. Organizations that implemented provenance verification as a supply chain control received clean verification signals on every poisoned package.\n- **Dual-channel exfiltration:** Stolen credentials were sent via AES-256-GCM encrypted HTTPS POST and also committed as encrypted JSON files to victim GitHub repositories through the GitHub Contents API, routing exfiltration through `api.github.com` — universally permitted in CI network policies.\n\n---\n\n## Immediate Actions (Next 24–72 Hours)\n\n1. **Enterprise-wide lockfile sweep** for all 32 compromised package names at any version listed above, across repositories, lockfiles (`package-lock.json`, `yarn.lock`, `pnpm-lock.yaml`), CI caches, and developer machines.\n Owner: AppSec / DevSecOps\n Deadline: 24h\n\n2. **Set `npm config set ignore-scripts true`** on all CI runners as a blocking measure. Validate compatibility with other dependencies first.\n Owner: DevOps\n Deadline: 24h\n\n3. **Rotate all credentials** on any environment that ran `npm install` on or after June 1, 2026 10:54 UTC: GitHub PATs, npm publish tokens, AWS access keys, GCP service account keys, Azure service principal credentials, HashiCorp Vault tokens, Kubernetes service account tokens, SSH private keys, Docker registry credentials.\n Owner: Security + DevOps\n Deadline: 24–48h\n\n4. **Audit and remove developer workstation persistence artifacts:** check `~/.claude/settings.json` for unexpected `SessionStart` hooks; check `.vscode/tasks.json` in all project directories for unexpected `folderOpen` tasks; remove `/tmp/p*.js`, `/tmp/b-*` Bun directories, `tmp.0987654321.lock`.\n Owner: IT / SecOps\n Deadline: 24h\n\n5. **Revoke GitHub Actions OIDC Trusted Publishing bindings** for all affected packages in the three RedHatInsights repositories. Do not re-establish until Red Hat confirms pipeline integrity.\n Owner: DevOps / AppSec\n Deadline: 48h\n\n6. **Audit GitHub organization activity** for commits containing `IfYouInvalidateThisTokenItWillNukeTheComputerOfTheOwner`, files matching `results-{timestamp}-{counter}.json`, and unexpected changes to `.github/workflows/*.yml`.\n Owner: SecOps\n Deadline: 48h\n\n7. **Rebuild container images** built after June 1, 2026 that used Red Hat npm tooling in their build stage, from clean environments with clean base images.\n Owner: Platform / DevOps\n Deadline: 48–72h\n\n8. **Block npm package cooldown enforcement** via private registry proxy: require a review period before new `@redhat-cloud-services` versions are served to pipelines until Red Hat publishes confirmed-clean successors.\n Owner: DevOps\n Deadline: 72h\n\n---\n\n## Key IOCs (Fast Reference)\n\n| Type | Value | Context |\n|------|-------|---------|\n| Payload string | `Miasma: The Spreading Blight` | Primary campaign self-identification string |\n| Payload string | `IfYouInvalidateThisTokenItWillNukeTheComputerOfTheOwner` | GitHub API fallback exfiltration commit message prefix |\n| Payload string | `thebeautifulmarchoftime` | Internal string table marker |\n| Payload string | `f4abccab2` | Custom decryption function identifier |\n| Host Artifact | `/tmp/p{random}.js` | Decrypted runtime payload written before execution |\n| Host Artifact | `tmp.0987654321.lock` | Deduplication lock preventing duplicate daemon instances |\n| Persistence | `~/.claude/settings.json` (modified) | Claude Code SessionStart hook |\n| Persistence | `.vscode/tasks.json` (modified) | VS Code folderOpen execution |\n| Process | `__IS_DAEMON` env var | Daemonization marker on developer workstations |\n| File Hash (SHA256) | `88896d478986d453f5da79b311de39d9b4b1bea95c21af1d8ef181b0f4e52fe9` | @redhat-cloud-services/chrome@2.3.1 tarball |\n| File Hash (SHA256) | `21b6409a7b84446310daca5409ad6112ac60a1e4bef97736e53fff5f63bfdef4` | @redhat-cloud-services/chrome@2.3.1 index.js |\n| File Hash (SHA256) | `0dc06ecdaa63fe24859cfd955053c23245c536e4733480239d14bebf12688e35` | Decrypted main payload (_p) |\n| File Hash (SHA256) | `ac2a2208e1726e008be6c73dc0872d9bba163319259dff1b62055ac933ca46b6` | Decrypted Bun helper (_b) |\n| Domain | `api.github[.]com` | C2 traffic disguised as GitHub API; User-Agent: python-requests/2.31.0 |\n| URL | `https://github[.]com/oven-sh/bun/releases/download/bun-v1.3.13/` | Bun runtime staging download |\n| URL | `hxxps://registry.npmjs[.]org/-/npm/v1/tokens` | Token enumeration for worm propagation |\n| URL | `hxxp://169.254.169.254/latest/meta-data/iam/security-credentials/` | AWS instance metadata credential harvesting |\n| Crypto Key | `4c26cf9791bce1bfd4b84eba80ce2754` | AES-128-GCM key for Bun helper (_b) blob |\n| Crypto Key | `ec514c074caf0ffdce6c66a0e95753d8` | AES-128-GCM key for main payload (_p) blob |\n\n---\n\n## Risk Summary\n\n| Dimension | Rating | Rationale |\n|-----------|--------|-----------|\n| Exploitability | Critical | Preinstall hook fires on `npm install` with no import required; daemonizes on developer workstations; fires in CI without user interaction |\n| Blast Radius | Critical | 32 packages, 96 versions, 116,991 weekly downloads; self-propagating via `bypass_2fa: true`; covers CI runners, developer machines, container builds, and Kubernetes environments simultaneously |\n| Persistence Risk | Critical | Claude Code SessionStart and VS Code folderOpen hooks survive `npm uninstall`; persist across developer sessions until explicitly removed |\n| Remediation Complexity | Critical | Requires lockfile updates across all repositories, credential rotation across all cloud providers, persistence cleanup on all developer machines, OIDC rebinding review, and container image rebuilds — all before clean successor versions are published |\n| Business Exposure | Critical | Red Hat Hybrid Cloud Console and Insights platform toolchain compromised; MCP packages targeting AI developer workflows; zero-CVE gap means standard scanning missed the entire campaign window |\n"}