Skip to main content
Sign in
Miasma npm Supply Chain Attack1 decision on this page

Audit log

Every state-changing event for Miasma npm Supply Chain Attack: moderation decisions on community submissions, plus corrections and updates from the news pipeline. URL-based decisions carry three independent witnesses — the original source, an Internet Archive snapshot taken at submission time, and a Solana memo signed by our publicly-disclosed publisher key.

  1. #1publishby system:backfill
    2026-06-16 17:12:24Z
    Score: ?? (no score change)
    anchoranchored
    chain
    mainnet-betaslot 426,895,149
    sig
    5KkBtX9cUmG1…CGcZVzVrexplorer ↗
    hash
    DbbKCqFLxhSM…HDs6PmARsha256 → base58
    verifying row…full verify ↗
    canonical bytes (38553 B) ▸
    {"actor":"system:backfill","investigation_id":"ef1dce2b-5830-4138-aed8-2282bfc73f33","kind":"publish","page_slug":"miasma-npm-supply-chain-attack","published_at":"2026-06-16T17:12:24.114Z","sequence_num":1,"snapshot":{"content_type":"investigation","entity_name":"Miasma npm Supply Chain Attack","sections":[{"content":"The Miasma campaign began on June 1, 2026, when 32 packages under Red Hat's @redhat-cloud-services npm namespace were compromised. The attack was named 'Miasma: The Spreading Blight' — a label the malware itself inscribed as the description of newly created GitHub repositories and commit messages left during propagation. The campaign evolved across at least three documented waves over ten days, expanding to the npm packages of AI infrastructure companies, individual open-source maintainers, and eventually Microsoft Azure's GitHub presence. Across all waves, researchers estimated over 170 npm and PyPI packages were compromised with a combined download exposure exceeding 518 million cumulative weekly downloads. The malware is technically classified as a variant of Mini Shai-Hulud, a supply chain worm framework open-sourced by threat actor TeamPCP. A dead-man switch embedded in the payload — a string reading 'IfYouInvalidateThisTokenItWillNukeTheComputerOfTheOwner' — reportedly triggers destructive actions if stolen tokens are revoked.","heading":"Campaign Overview","severity":"critical","sources":[{"credibility":2,"name":"Miasma Supply Chain Attack Compromises Red Hat npm Packages with Credential-Stealing Worm — The Hacker News","type":"news_article","url":"https://thehackernews.com/2026/06/miasma-supply-chain-attack-compromises.html"},{"credibility":2,"name":"Miasma: Supply Chain Attack Targeting RedHat npm Packages — Wiz Blog","type":"research","url":"https://www.wiz.io/blog/miasma-supply-chain-attack-targeting-redhat-npm-packages"},{"credibility":1,"name":"Mini Shai-Hulud Supply Chain Attack CVE-2026-45321 FAQ — Tenable","type":"research","url":"https://www.tenable.com/blog/mini-shai-hulud-frequently-asked-questions"}]},{"content":"In Wave 1, an attacker used a compromised Red Hat employee GitHub account to inject malicious orphan commits into repositories in the RedHatInsights GitHub organization. The breach vector was an infostealer infection on a Red Hat developer's device: stolen credentials and an active session cookie first appeared in infostealer logs on April 13, 2026, and resurfaced on May 15, 2026 — 48 days before the active attack. The malicious commits abused GitHub Actions OpenID Connect (OIDC) trusted publishing to upload trojanized package versions directly to the public npm registry, generating valid SLSA provenance attestations for the compromised builds. Two waves of malicious commits were pushed on June 1, 2026, at 10:53 UTC and again at 13:44–13:46 UTC. At least 32 packages across the @redhat-cloud-services scope were affected, covering approximately 80,000 to 117,000 weekly downloads. Affected packages included @redhat-cloud-services/frontend-components (versions 7.7.2–7.7.5), @redhat-cloud-services/rbac-client (versions 9.0.3–9.0.6), @redhat-cloud-services/compliance-client (versions 4.0.3–4.0.6), and additional clients including vulnerabilities-client, sources-client, remediations-client, and rule-components. The payload — a 4.2 MB obfuscated JavaScript file — executed at npm install time via a preinstall hook, employing eval() calls and ROT-based decoding with unique per-infection encryption to impede hash-based detection.","heading":"Wave 1: Red Hat @redhat-cloud-services Compromise (June 1, 2026)","severity":"critical","sources":[{"credibility":2,"name":"Miasma Supply Chain Attack: the Seven-Week Credential Trail — CybelAngel","type":"research","url":"https://cybelangel.com/blog/miasma-supply-chain-attack-the-seven-week-credential-trail/"},{"credibility":2,"name":"Miasma: Supply Chain Attack Targeting RedHat npm Packages — Wiz Blog","type":"research","url":"https://www.wiz.io/blog/miasma-supply-chain-attack-targeting-redhat-npm-packages"},{"credibility":2,"name":"Miasma: Red Hat npm Supply Chain Worm — Cloud Security Alliance Labs","type":"research","url":"https://labs.cloudsecurityalliance.org/research/csa-research-note-miasma-npm-supply-chain-redhat-20260603-cs/"},{"credibility":2,"name":"CA-26-018: Miasma/Mini Shai-Hulud Compromise of Red Hat npm Packages — Deepwatch","type":"research","url":"https://www.deepwatch.com/labs/ca-26-018-miasma-mini-shai-hulud-compromise-of-red-hat-npm-packages/"},{"credibility":1,"name":"Preinstall to persistence: Inside the Red Hat npm Miasma credential-stealing campaign — Microsoft Security Blog","type":"research","url":"https://www.microsoft.com/en-us/security/blog/2026/06/02/preinstall-persistence-inside-red-hat-npm-miasma-credential-stealing-campaign/"}]},{"content":"Two days after the initial Red Hat compromise, a second wave struck the npm registry in a rolling campaign lasting under two hours beginning at 23:30 UTC on June 3, 2026. This wave compromised 57 packages across 286 or more malicious versions. The attack departed from the preinstall hook technique: instead, the attacker added a 157-byte binding.gyp file to published tarballs, exploiting gyp's command substitution syntax (syntax: node index.js > /dev/null 2>&1 && echo stub.c) to trigger execution during npm install without declaring any scripts in package.json — a technique subsequently named 'Phantom Gyp' by StepSecurity researchers. The largest victim was @vapi-ai/server-sdk (408,000+ monthly downloads), hit first at 23:30 UTC via a compromised unexpired GitHub access token belonging to a Vapi developer. Versions 0.11.1, 0.11.2, 1.2.1, and 1.2.2 were affected; Vapi confirmed these malicious versions had zero downloads before removal. The attacker also published malicious versions of over 50 packages belonging to npm maintainer jagreehal, including ai-sdk-ollama (120,000+ monthly downloads), along with packages in the autotel, awaitly, executable-stories, node-env-resolver, and wrangler-deploy families. Additional packages including discord-search, create-cf-token, dbmux, creditcard.js, github-archiver, and several @forjacms packages were confirmed compromised. Stolen credentials were exfiltrated to GitHub repositories under account liuende501, which hosted 236 programmatically created repositories. Cumulative monthly download exposure across Wave 2 was estimated at 647,204, with approximately 152,000 downloads per week during the attack window. Over 118 GitHub repositories were found to contain stolen credentials in the immediate aftermath.","heading":"Wave 2: Phantom Gyp — 57 Packages via binding.gyp (June 3, 2026)","severity":"critical","sources":[{"credibility":2,"name":"Miasma npm Supply Chain Attack: Self-Spreading Worm via Phantom Gyp — StepSecurity","type":"research","url":"https://www.stepsecurity.io/blog/binding-gyp-npm-supply-chain-attack-spreads-like-worm"},{"credibility":1,"name":"Our response to the June 3, 2026 supply chain incident — Vapi.ai","type":"official","url":"https://vapi.ai/blog/our-response-to-june-3-supply-chain-incident"},{"credibility":2,"name":"600,000 Monthly Downloads Affected: Miasma Supply Chain Attack Is Back on npm — OX Security","type":"research","url":"https://www.ox.security/blog/600000-monthly-downloads-affected-miasma-supply-chain-attack-is-back-on-npm/"},{"credibility":2,"name":"Phantom Gyp Miasma hit Vapi, ai-sdk-ollama, and 55 more npm packages — Corgea","type":"research","url":"https://corgea.com/research/miasma-phantom-gyp-npm-worm-vapi-ai-sdk-ollama-june-2026"},{"credibility":2,"name":"IronWorm and New Miasma Worm Variant Hit npm in Supply Chain Attacks — The Hacker News","type":"news_article","url":"https://thehackernews.com/2026/06/ironworm-and-new-miasma-worm-variant.html"}]},{"content":"Wave 3, reported on June 5 and June 8, 2026, represented a significant escalation: the attack bypassed the npm registry entirely and instead targeted GitHub repositories, specifically configuring them to trigger execution automatically when developers opened the repository in AI coding tools. A malicious commit was pushed to the Azure/durabletask repository, injecting five files designed to auto-execute: .claude/settings.json (Claude Code SessionStart hook), .gemini/settings.json (Gemini CLI SessionStart hook), .cursor/rules/setup.mdc (Cursor AI prompt injection marked alwaysApply: true), .vscode/tasks.json (VS Code folder-open auto-run task), and .github/setup.js (a 4.6 MB obfuscated payload). GitHub's automated detection disabled 73 Microsoft repositories across four organizations within 105 seconds, spanning two rapid bursts at 16:00:50–16:01:28 UTC and 16:02:24–16:02:35 UTC. Affected organizations included Azure (49 repositories), microsoft (10 repositories), Azure-Samples (13 repositories), and MicrosoftDocs (1 repository). The disabling of Azure/functions-action broke GitHub Actions workflows globally for projects referencing the @v1 tag, with over 20 developers reporting broken deployments within hours. SafeDep researchers connected this wave to an earlier May 19, 2026 PyPI compromise of the durabletask package (three malicious versions deploying a credential harvester named rope.pyz) through the same compromised contributor account. The Miasma toolkit was confirmed to target 13 AI coding tools including Claude Code, Gemini CLI, Cursor, GitHub Copilot, and Kiro. The Shai-Hulud Wave 3 and subsequent Hades wave reportedly dropped 37 malicious Python wheels onto PyPI in parallel.","heading":"Wave 3: AI Coding Agent Targeting and Microsoft Azure GitHub Repositories (June 5, 2026)","severity":"critical","sources":[{"credibility":2,"name":"Miasma Worm Hits Microsoft Again: Azure Functions Action and 72 Other Repositories Disabled — StepSecurity","type":"research","url":"https://www.stepsecurity.io/blog/miasma-worm-hits-microsoft-again-azure-functions-action-and-72-other-repositories-disabled-after-supply-chain-attack-targeting-ai-coding-agents"},{"credibility":2,"name":"Miasma Worm Targets AI Coding Agents via GitHub Repos — SafeDep","type":"research","url":"https://safedep.io/miasma-worm-ai-coding-agent-config-injection/"},{"credibility":2,"name":"Miasma Worm Reaches Microsoft Azure and PyPI: 73 Repositories Disabled, Hades Wave Drops 37 Malicious Python Wheels — Phoenix Security","type":"research","url":"https://phoenix.security/miasma-azure-hades-pypi-supply-chain-worm-2026/"},{"credibility":2,"name":"It's In Your AI Assistant Now: Shai-Hulud Wave 3 and the Miasma Worm Targeting npm — Morphisec","type":"research","url":"https://www.morphisec.com/blog/its-in-your-ai-assistant-now-shai-hulud-wave-3-and-the-miasma-worm-targeting-npm/"}]},{"content":"The Miasma malware functions as a comprehensive supply chain attack toolkit with self-propagation, credential exfiltration, and persistence capabilities. At install time the primary payload (4.2–4.6 MB, depending on wave) executes through npm lifecycle hooks or the binding.gyp Phantom Gyp technique. It employs five-layer build obfuscation with per-build random keys, making hash-based detection unreliable. The credential sweep targets: GitHub tokens and Personal Access Tokens (PATs), npm authentication tokens, AWS access keys, Google Cloud Platform (GCP) credentials, Azure identities, HashiCorp Vault tokens, Kubernetes service account secrets, SSH private keys, and environment variables from configuration files for 13 AI coding tools. One source (Hexnode, citing original vendor research) noted the malware also harvests browser-stored credentials and local crypto wallet files, with the Exodus cryptocurrency desktop wallet specifically mentioned as a collection target. After harvesting npm tokens, the malware calls the npm publish API with bypass_2fa to push backdoored versions of other packages the victim account can publish, creating a worm propagation loop. It creates a public GitHub repository in the victim's account titled 'Miasma: The Spreading Blight' and injects .github/setup.js into unprotected branches so that subsequent CI runs reignite the chain. Persistence is established via a systemd service (gh-token-monitor.service) and via hooks injected into developer tool configuration files. Exfiltration infrastructure observed included GitHub repositories under attacker-controlled accounts and an alleged decoy address mimicking api.anthropic.com port 443. The malware explicitly skips execution on systems where the OS language is set to Russian.","heading":"Malware Mechanics and Technical Capabilities","severity":"critical","sources":[{"credibility":2,"name":"Inside the Miasma Supply Chain Attack Toolkit — SafeDep","type":"research","url":"https://safedep.io/inside-the-miasma-supply-chain-attack-toolkit/"},{"credibility":2,"name":"CA-26-018: Miasma/Mini Shai-Hulud Compromise of Red Hat npm Packages — Deepwatch","type":"research","url":"https://www.deepwatch.com/labs/ca-26-018-miasma-mini-shai-hulud-compromise-of-red-hat-npm-packages/"},{"credibility":2,"name":"Miasma Malware Fuels Red Hat npm Supply-Chain Attack — Hexnode","type":"news_article","url":"https://www.hexnode.com/blogs/miasma-malware-red-hat-npm-supply-chain-attack/"},{"credibility":2,"name":"Miasma: A Worming npm Supply Chain Attack on Red Hat Cloud Services — Upwind","type":"research","url":"https://www.upwind.io/feed/miasma-npm-supply-chain-worm-redhat-credential-harvest"},{"credibility":2,"name":"New Shai-Hulud Miasma Wave Hits Hundreds of npm Packages — Sonatype","type":"research","url":"https://www.sonatype.com/blog/new-shai-hulud-miasma-wave-hits-hundreds-of-npm-packages"}]},{"content":"The Miasma campaign's direct cryptocurrency and DeFi impact is limited by available public evidence, though several crypto-relevant vectors were confirmed. The malware collectors enumerate local Exodus cryptocurrency wallet files on infected developer systems. Multiple sources confirmed the malware harvests browser-stored credentials and wallet data from developer machines. One source noted that a cryptocurrency wallet address associated with the campaign was confirmed empty with no transactions recorded as of early June 2026, suggesting either no attempted withdrawal or rapid operational security practices by the attacker. The malware's primary focus was cloud infrastructure credential theft rather than direct wallet drainage. However, the substantial developer-facing blast radius — particularly through the @vapi-ai/server-sdk package (408,000+ monthly downloads) and packages used in AI and developer infrastructure — means any crypto project developers who ran npm install against affected versions in the June 1–5 window should treat all credentials on affected systems as compromised. If stolen developer credentials included access to smart contract deployment pipelines, private keys stored in CI/CD environment variables, or wallet seed phrases in developer configuration files, downstream losses from those credentials are plausible but have not been publicly confirmed. No specific DeFi protocols or crypto exchanges were named as direct victims in any Tier 1 or Tier 2 source reviewed.","heading":"Cryptocurrency and DeFi Impact","severity":"high","sources":[{"credibility":2,"name":"Miasma Malware Fuels Red Hat npm Supply-Chain Attack — Hexnode","type":"news_article","url":"https://www.hexnode.com/blogs/miasma-malware-red-hat-npm-supply-chain-attack/"},{"credibility":2,"name":"Mini Shai-Hulud \"Miasma: The Spreading Blight\" Hits @redhat-cloud-services — SafeDep","type":"research","url":"https://safedep.io/redhat-cloud-services-hit-by-mini-shai-hulud-npm-worm/"},{"credibility":2,"name":"IronWorm and New Miasma Worm Variant Hit npm in Supply Chain Attacks — The Hacker News","type":"news_article","url":"https://thehackernews.com/2026/06/ironworm-and-new-miasma-worm-variant.html"}]},{"content":"Researchers at Wiz, The Hacker News, Tenable, and Deepwatch linked Miasma to the Mini Shai-Hulud malware framework developed by threat actor TeamPCP, also tracked as UNC6780 (Google Threat Intelligence), Replicating Marauder, TGR-CRI-1135, DeadCatx3, PCPcat, ShellForce, and CipherForce. The Shai-Hulud worm family has an attributed history dating to September 2025. TeamPCP is described as an 'infamous cybercrime group' that subsequently open-sourced the Shai-Hulud codebase, creating attribution ambiguity: any competent copycat actor with access to the public code could reproduce the same techniques. Researchers consistently note that observable tactical, technique, and procedure (TTP) overlap should be treated as evidence of malware family reuse rather than definitive attribution to TeamPCP specifically. The Russian-language exclusion logic embedded in the malware (skipping execution on Russian-locale systems) is a noted characteristic but does not constitute attribution. No law enforcement agency had publicly named a responsible individual or organization as of June 16, 2026.","heading":"Attribution","severity":"high","sources":[{"credibility":2,"name":"Miasma Supply Chain Attack Compromises Red Hat npm Packages with Credential-Stealing Worm — The Hacker News","type":"news_article","url":"https://thehackernews.com/2026/06/miasma-supply-chain-attack-compromises.html"},{"credibility":1,"name":"Mini Shai-Hulud Supply Chain Attack CVE-2026-45321 FAQ — Tenable","type":"research","url":"https://www.tenable.com/blog/mini-shai-hulud-frequently-asked-questions"},{"credibility":2,"name":"Miasma: Supply Chain Attack Targeting RedHat npm Packages — Wiz Blog","type":"research","url":"https://www.wiz.io/blog/miasma-supply-chain-attack-targeting-redhat-npm-packages"},{"credibility":3,"name":"Miasma / TeamPCP npm Attack: How to Scan Your Machine in 5 Minutes — ConcreteCMS","type":"community_report","url":"https://www.concretecms.com/about/blog/ai/miasma-teampcp-npm-supply-chain-attack"}]},{"content":"A notable technical milestone of the Miasma campaign was the demonstrated defeat of SLSA (Supply-chain Levels for Software Artifacts) Build Level 3 cryptographic provenance verification. In Wave 1, the attacker's abuse of GitHub Actions OIDC trusted publishing generated valid SLSA provenance attestations for trojanized package versions. Tenable researchers characterized this as 'a watershed moment in supply chain security,' noting that 'provenance attestation can verify that the build pipeline is legitimate without verifying that the code being built is safe.' This exposed a fundamental gap: signed build artifacts and cryptographic attestation do not protect against compromised upstream code. A related CVE, CVE-2026-45321 (CVSS v3: 9.6, Tenable VPR: 9.2), was assigned to a distinct but related Miasma-family wave that compromised 42 @tanstack packages across 84 malicious versions via chained GitHub Actions pull_request_target workflow abuse, generating OIDC tokens from a forked repository context. Additional high-profile confirmed victims of the broader Shai-Hulud campaign family included OpenAI (two employee devices compromised with limited credential exfiltration from internal code repositories, including code-signing certificates), Mistral AI (codebase management system compromised), and a reported breach of approximately 3,800 GitHub internal repositories via a trojanized Nx Console extension. The European Commission reportedly suffered over 90 GB of data exfiltration in an earlier Shai-Hulud wave (the Trivy wave), though this predates the June 2026 Miasma waves.","heading":"SLSA Provenance Defeat and Broader Security Implications","severity":"critical","sources":[{"credibility":1,"name":"Mini Shai-Hulud Supply Chain Attack CVE-2026-45321 FAQ — Tenable","type":"research","url":"https://www.tenable.com/blog/mini-shai-hulud-frequently-asked-questions"},{"credibility":2,"name":"Red Hat npm Packages Compromised, 57 More Follow: Signed Attestations Cannot Block Pipeline Hijack — TechTimes","type":"news_article","url":"https://www.techtimes.com/articles/317832/20260605/red-hat-npm-packages-compromised-57-more-follow-signed-attestations-cannot-block-pipeline-hijack.htm"},{"credibility":2,"name":"Miasma: Anatomy of an Open-Source Supply-Chain Worm — OSSPrey","type":"research","url":"https://www.ossprey.com/blog/miasma-anatomy-of-an-open-source-supply-chain-worm"}]},{"content":"Confirmed or alleged directly affected organizations include Red Hat (32 packages in @redhat-cloud-services npm namespace), Vapi.ai (@vapi-ai/server-sdk, four malicious versions with zero downloads before removal), individual npm maintainer jagreehal (50+ packages), and Microsoft (73 GitHub repositories disabled across Azure, microsoft, Azure-Samples, and MicrosoftDocs organizations). The broader Shai-Hulud campaign family allegedly affected OpenAI, Mistral AI, and reportedly GitHub itself. Red Hat, Vapi, and Microsoft all published incident responses and remediation guidance. For Wave 1 (Red Hat) and Wave 2 (Phantom Gyp), security researchers recommended: immediately rotating all npm tokens, GitHub Personal Access Tokens, AWS/GCP/Azure credentials, HashiCorp Vault tokens, Kubernetes service account secrets, and SSH keys on any system where affected packages were installed; removing persistence artifacts including the gh-token-monitor.service systemd unit, modifications to .vscode/tasks.json, and ~/.claude/settings.json entries; auditing CI/CD logs for Bun runtime downloads or cloud metadata API access; and re-running npm install with the --ignore-scripts flag after clearing affected versions. For Wave 3 (AI coding agent targeting), developers were warned to inspect repository-level configuration files (.claude/, .gemini/, .cursor/, .vscode/) in any repository cloned from affected organizations before opening them in an AI coding tool.","heading":"Affected Organizations and Remediation","severity":"high","sources":[{"credibility":1,"name":"Our response to the June 3, 2026 supply chain incident — Vapi.ai","type":"official","url":"https://vapi.ai/blog/our-response-to-june-3-supply-chain-incident"},{"credibility":2,"name":"Miasma: Red Hat npm Supply Chain Worm — Cloud Security Alliance Labs","type":"research","url":"https://labs.cloudsecurityalliance.org/research/csa-research-note-miasma-npm-supply-chain-redhat-20260603-cs/"},{"credibility":2,"name":"Miasma Worm Hits Microsoft Again: Azure Functions Action and 72 Other Repositories Disabled — StepSecurity","type":"research","url":"https://www.stepsecurity.io/blog/miasma-worm-hits-microsoft-again-azure-functions-action-and-72-other-repositories-disabled-after-supply-chain-attack-targeting-ai-coding-agents"},{"credibility":2,"name":"Red Hat npm Packages Compromised in Supply-Chain Attack Spreading Credential-Stealing Worm — Orca Security","type":"research","url":"https://orca.security/resources/blog/red-hat-npm-supply-chain-attack/"},{"credibility":2,"name":"Developers urged to remain vigilant amid continued Miasma malware risks — IT Pro","type":"news_article","url":"https://www.itpro.com/security/malware/miasma-malware-developer-warning-github-compromise"}]}],"sources_used":[{"credibility":2,"name":"Miasma Supply Chain Attack Compromises Red Hat npm Packages with Credential-Stealing Worm — The Hacker News","type":"news_article","url":"https://thehackernews.com/2026/06/miasma-supply-chain-attack-compromises.html"},{"credibility":2,"name":"IronWorm and New Miasma Worm Variant Hit npm in Supply Chain Attacks — The Hacker News","type":"news_article","url":"https://thehackernews.com/2026/06/ironworm-and-new-miasma-worm-variant.html"},{"credibility":2,"name":"Miasma: Supply Chain Attack Targeting RedHat npm Packages — Wiz Blog","type":"research","url":"https://www.wiz.io/blog/miasma-supply-chain-attack-targeting-redhat-npm-packages"},{"credibility":2,"name":"Miasma npm Supply Chain Attack: Self-Spreading Worm via Phantom Gyp — StepSecurity","type":"research","url":"https://www.stepsecurity.io/blog/binding-gyp-npm-supply-chain-attack-spreads-like-worm"},{"credibility":2,"name":"Miasma Worm Hits Microsoft Again: Azure Functions Action and 72 Other Repositories Disabled — StepSecurity","type":"research","url":"https://www.stepsecurity.io/blog/miasma-worm-hits-microsoft-again-azure-functions-action-and-72-other-repositories-disabled-after-supply-chain-attack-targeting-ai-coding-agents"},{"credibility":1,"name":"Preinstall to persistence: Inside the Red Hat npm Miasma credential-stealing campaign — Microsoft Security Blog","type":"research","url":"https://www.microsoft.com/en-us/security/blog/2026/06/02/preinstall-persistence-inside-red-hat-npm-miasma-credential-stealing-campaign/"},{"credibility":1,"name":"Our response to the June 3, 2026 supply chain incident — Vapi.ai","type":"official","url":"https://vapi.ai/blog/our-response-to-june-3-supply-chain-incident"},{"credibility":1,"name":"Mini Shai-Hulud Supply Chain Attack CVE-2026-45321 FAQ — Tenable","type":"research","url":"https://www.tenable.com/blog/mini-shai-hulud-frequently-asked-questions"},{"credibility":2,"name":"CA-26-018: Miasma/Mini Shai-Hulud Compromise of Red Hat npm Packages — Deepwatch","type":"research","url":"https://www.deepwatch.com/labs/ca-26-018-miasma-mini-shai-hulud-compromise-of-red-hat-npm-packages/"},{"credibility":2,"name":"New Shai-Hulud hits npm: @redhat-cloud-services Compromised — OX Security","type":"research","url":"https://www.ox.security/blog/new-npm-supply-chain-attack-redhat-cloud-services-compromised/"},{"credibility":2,"name":"600,000 Monthly Downloads Affected: Miasma Supply Chain Attack Is Back on npm — OX Security","type":"research","url":"https://www.ox.security/blog/600000-monthly-downloads-affected-miasma-supply-chain-attack-is-back-on-npm/"},{"credibility":2,"name":"Miasma Supply Chain Attack: the Seven-Week Credential Trail — CybelAngel","type":"research","url":"https://cybelangel.com/blog/miasma-supply-chain-attack-the-seven-week-credential-trail/"},{"credibility":2,"name":"Miasma: Red Hat npm Supply Chain Worm — Cloud Security Alliance Labs","type":"research","url":"https://labs.cloudsecurityalliance.org/research/csa-research-note-miasma-npm-supply-chain-redhat-20260603-cs/"},{"credibility":2,"name":"New Shai-Hulud Miasma Wave Hits Hundreds of npm Packages — Sonatype","type":"research","url":"https://www.sonatype.com/blog/new-shai-hulud-miasma-wave-hits-hundreds-of-npm-packages"},{"credibility":2,"name":"Inside the Miasma Supply Chain Attack Toolkit — SafeDep","type":"research","url":"https://safedep.io/inside-the-miasma-supply-chain-attack-toolkit/"},{"credibility":2,"name":"Miasma Worm Targets AI Coding Agents via GitHub Repos — SafeDep","type":"research","url":"https://safedep.io/miasma-worm-ai-coding-agent-config-injection/"},{"credibility":2,"name":"Mini Shai-Hulud \"Miasma: The Spreading Blight\" Hits @redhat-cloud-services — SafeDep","type":"research","url":"https://safedep.io/redhat-cloud-services-hit-by-mini-shai-hulud-npm-worm/"},{"credibility":2,"name":"Phantom Gyp Miasma hit Vapi, ai-sdk-ollama, and 55 more npm packages — Corgea","type":"research","url":"https://corgea.com/research/miasma-phantom-gyp-npm-worm-vapi-ai-sdk-ollama-june-2026"},{"credibility":2,"name":"Miasma Malware Fuels Red Hat npm Supply-Chain Attack — Hexnode","type":"news_article","url":"https://www.hexnode.com/blogs/miasma-malware-red-hat-npm-supply-chain-attack/"},{"credibility":2,"name":"Miasma: A Worming npm Supply Chain Attack on Red Hat Cloud Services — Upwind","type":"research","url":"https://www.upwind.io/feed/miasma-npm-supply-chain-worm-redhat-credential-harvest"},{"credibility":2,"name":"It's In Your AI Assistant Now: Shai-Hulud Wave 3 and the Miasma Worm Targeting npm — Morphisec","type":"research","url":"https://www.morphisec.com/blog/its-in-your-ai-assistant-now-shai-hulud-wave-3-and-the-miasma-worm-targeting-npm/"},{"credibility":2,"name":"Miasma Worm Reaches Microsoft Azure and PyPI: 73 Repositories Disabled, Hades Wave Drops 37 Malicious Python Wheels — Phoenix Security","type":"research","url":"https://phoenix.security/miasma-azure-hades-pypi-supply-chain-worm-2026/"},{"credibility":2,"name":"Red Hat npm Packages Compromised in Supply-Chain Attack Spreading Credential-Stealing Worm — Orca Security","type":"research","url":"https://orca.security/resources/blog/red-hat-npm-supply-chain-attack/"},{"credibility":2,"name":"Shai-Hulud Clone 'Miasma' Compromises 32 Red Hat npm Packages — DevOps.com","type":"news_article","url":"https://devops.com/shai-hulud-clone-miasma-compromises-32-red-hat-npm-packages/"},{"credibility":2,"name":"Miasma: Anatomy of an Open-Source Supply-Chain Worm — OSSPrey","type":"research","url":"https://www.ossprey.com/blog/miasma-anatomy-of-an-open-source-supply-chain-worm"},{"credibility":2,"name":"Red Hat npm Packages Compromised, 57 More Follow: Signed Attestations Cannot Block Pipeline Hijack — TechTimes","type":"news_article","url":"https://www.techtimes.com/articles/317832/20260605/red-hat-npm-packages-compromised-57-more-follow-signed-attestations-cannot-block-pipeline-hijack.htm"},{"credibility":2,"name":"Shai-Hulud: Miasma — When a Supply-Chain Worm Learned to Hijack AI Coding Agents — Security Joes","type":"research","url":"https://blog.securityjoes.com/post/shai-hulud-miasma-when-a-supply-chain-worm-learned-to-hijack-ai-coding-agents"},{"credibility":2,"name":"Developers urged to remain vigilant amid continued Miasma malware risks — IT Pro","type":"news_article","url":"https://www.itpro.com/security/malware/miasma-malware-developer-warning-github-compromise"},{"credibility":2,"name":"HeroDevs Blog: Miasma npm Worm Steals Cloud Creds and Hijacks CI/CD","type":"research","url":"https://www.herodevs.com/blog-posts/miasma-npm-worm-steals-cloud-creds-and-hijacks-ci-cd"},{"credibility":1,"name":"The npm Threat Landscape: Attack Surface and Mitigations (Updated June 2) — Palo Alto Unit 42","type":"research","url":"https://unit42.paloaltonetworks.com/monitoring-npm-supply-chain-attacks/"},{"credibility":2,"name":"Miasma Supply Chain Attack Hits Red Hat @redhat-cloud-services Packages — InvisiRisk","type":"research","url":"https://www.invisirisk.com/blog/red-hat-npm-supply-chain-attack-miasma-hits-redhat-cloud-services/"},{"credibility":2,"name":"Shai-Hulud Miasma: Inside the Compromise of Red Hat Packages — Harness","type":"research","url":"https://www.harness.io/blog/shai-hulud-miasma-inside-the-compromise-of-red-hats-packages"},{"credibility":2,"name":"Miasma Is Back: npm Supply Chain Worm Drops binding.gyp Execution to Bypass Postinstall Monitoring — Phoenix Security","type":"research","url":"https://phoenix.security/miasma-wave2-npm-supply-chain-bindingyp-zero-cve-2026/"}],"summary":"Miasma is a multi-wave, self-propagating npm supply chain attack campaign active from June 1 through at least June 10, 2026, that compromised hundreds of widely-used npm packages and dozens of GitHub repositories across organizations including Red Hat, Vapi.ai, and Microsoft Azure. The malware, a variant of the Mini Shai-Hulud credential-stealing worm associated with threat actor TeamPCP (also tracked as UNC6780), exfiltrates cloud credentials, CI/CD secrets, SSH keys, and browser-stored data including crypto wallet files, then uses stolen tokens to republish backdoored package versions and spread to additional repositories. No confirmed cryptocurrency theft or quantified financial loss from crypto assets had been publicly documented as of the investigation date, though the malware's collectors enumerate local wallet storage and the attack's credential-theft scope poses downstream risk to any crypto developer environments that installed affected packages.","timeline":[{"date":"2025-09-01","event":"Original Shai-Hulud worm created by TeamPCP (approximate month; exact date not publicly confirmed).","source":"Tenable Mini Shai-Hulud FAQ","source_url":"https://www.tenable.com/blog/mini-shai-hulud-frequently-asked-questions"},{"date":"2025-11-01","event":"SHA1-Hulud variant of the Shai-Hulud framework deployed (approximate month).","source":"Tenable Mini Shai-Hulud FAQ","source_url":"https://www.tenable.com/blog/mini-shai-hulud-frequently-asked-questions"},{"date":"2026-03-01","event":"SANDWORM_MODE iteration of the Shai-Hulud worm family deployed (approximate month).","source":"Tenable Mini Shai-Hulud FAQ","source_url":"https://www.tenable.com/blog/mini-shai-hulud-frequently-asked-questions"},{"date":"2026-04-01","event":"Mini Shai-Hulud generation (basis for Miasma) deployed by TeamPCP.","source":"Tenable Mini Shai-Hulud FAQ","source_url":"https://www.tenable.com/blog/mini-shai-hulud-frequently-asked-questions"},{"date":"2026-04-13","event":"Red Hat employee's GitHub credentials first appear in infostealer logs, initiating 48-day dormancy before exploitation.","source":"Miasma Supply Chain Attack: the Seven-Week Credential Trail — CybelAngel","source_url":"https://cybelangel.com/blog/miasma-supply-chain-attack-the-seven-week-credential-trail/"},{"date":"2026-05-15","event":"Compromised Red Hat session cookie resurfaces in infostealer logs for a second time.","source":"Miasma Supply Chain Attack Compromises Red Hat npm Packages — The Hacker News","source_url":"https://thehackernews.com/2026/06/miasma-supply-chain-attack-compromises.html"},{"date":"2026-05-19","event":"Three malicious versions of the durabletask Python package published to PyPI via compromised contributor account; credential harvester rope.pyz deployed.","source":"Miasma Worm Hits Microsoft Again: Azure Functions Action and 72 Other Repositories Disabled — StepSecurity","source_url":"https://www.stepsecurity.io/blog/miasma-worm-hits-microsoft-again-azure-functions-action-and-72-other-repositories-disabled-after-supply-chain-attack-targeting-ai-coding-agents"},{"date":"2026-05-29","event":"First 'Miasma: The Spreading Blight' commit appears on GitHub, per Hacker News reporting.","source":"Miasma Supply Chain Attack Compromises Red Hat npm Packages — The Hacker News","source_url":"https://thehackernews.com/2026/06/miasma-supply-chain-attack-compromises.html"},{"date":"2026-06-01","event":"Wave 1: Attacker pushes malicious orphan commits to RedHatInsights GitHub repositories at 10:53 UTC and 13:44–13:46 UTC, backdooring 32 packages in the @redhat-cloud-services npm namespace affecting approximately 80,000–117,000 weekly downloads.","source":"Miasma: Supply Chain Attack Targeting RedHat npm Packages — Wiz Blog","source_url":"https://www.wiz.io/blog/miasma-supply-chain-attack-targeting-redhat-npm-packages"},{"date":"2026-06-01","event":"Public disclosure of Wave 1 by multiple security vendors including Wiz, Microsoft Security Blog, and OX Security.","source":"Miasma Supply Chain Attack Compromises Red Hat npm Packages — The Hacker News","source_url":"https://thehackernews.com/2026/06/miasma-supply-chain-attack-compromises.html"},{"date":"2026-06-03","event":"Wave 2 (Phantom Gyp): Attacker compromises Vapi.ai developer's GitHub token beginning at 22:56 UTC; @vapi-ai/server-sdk malicious versions (0.11.1, 0.11.2, 1.2.1, 1.2.2) published by 23:30 UTC.","source":"Our response to the June 3, 2026 supply chain incident — Vapi.ai","source_url":"https://vapi.ai/blog/our-response-to-june-3-supply-chain-incident"},{"date":"2026-06-03","event":"Wave 2 expands: 50+ packages belonging to npm maintainer jagreehal compromised, including ai-sdk-ollama (120,000+ monthly downloads), across 57 total packages and 286+ malicious versions within under two hours.","source":"Miasma npm Supply Chain Attack: Self-Spreading Worm via Phantom Gyp — StepSecurity","source_url":"https://www.stepsecurity.io/blog/binding-gyp-npm-supply-chain-attack-spreads-like-worm"},{"date":"2026-06-03","event":"Vapi.ai removes malicious npm versions and revokes compromised account access; packages had zero downloads before removal.","source":"Our response to the June 3, 2026 supply chain incident — Vapi.ai","source_url":"https://vapi.ai/blog/our-response-to-june-3-supply-chain-incident"},{"date":"2026-06-04","event":"StepSecurity publishes independent research on the Phantom Gyp binding.gyp technique. Over 118 GitHub repositories containing stolen credentials identified.","source":"Miasma npm Supply Chain Attack: Self-Spreading Worm via Phantom Gyp — StepSecurity","source_url":"https://www.stepsecurity.io/blog/binding-gyp-npm-supply-chain-attack-spreads-like-worm"},{"date":"2026-06-05","event":"Wave 3: Malicious commit pushed to Azure/durabletask GitHub repository, injecting AI coding agent configuration triggers. GitHub disables 73 Microsoft repositories across four organizations within 105 seconds.","source":"Miasma Worm Hits Microsoft Again: Azure Functions Action and 72 Other Repositories Disabled — StepSecurity","source_url":"https://www.stepsecurity.io/blog/miasma-worm-hits-microsoft-again-azure-functions-action-and-72-other-repositories-disabled-after-supply-chain-attack-targeting-ai-coding-agents"},{"date":"2026-06-05","event":"Disabling of Azure/functions-action breaks GitHub Actions workflows globally for projects referencing the @v1 tag; 20+ developers report broken deployments.","source":"Miasma Worm Hits Microsoft Again: Azure Functions Action and 72 Other Repositories Disabled — StepSecurity","source_url":"https://www.stepsecurity.io/blog/miasma-worm-hits-microsoft-again-azure-functions-action-and-72-other-repositories-disabled-after-supply-chain-attack-targeting-ai-coding-agents"},{"date":"2026-06-05","event":"Sonatype reports 304 cumulative malicious npm package components identified across the Miasma campaign.","source":"New Shai-Hulud Miasma Wave Hits Hundreds of npm Packages — Sonatype","source_url":"https://www.sonatype.com/blog/new-shai-hulud-miasma-wave-hits-hundreds-of-npm-packages"},{"date":"2026-06-08","event":"Security Joes publishes research titled 'Shai-Hulud: Miasma — When a Supply-Chain Worm Learned to Hijack AI Coding Agents'. Morphisec publishes Wave 3 analysis.","source":"Shai-Hulud: Miasma — When a Supply-Chain Worm Learned to Hijack AI Coding Agents — Security Joes","source_url":"https://blog.securityjoes.com/post/shai-hulud-miasma-when-a-supply-chain-worm-learned-to-hijack-ai-coding-agents"},{"date":"2026-06-10","event":"Phoenix Security reports on Hades wave: 37 malicious Python wheels published to PyPI in parallel with Azure GitHub attack; 73 repositories disabled confirmed.","source":"Miasma Worm Reaches Microsoft Azure and PyPI: 73 Repositories Disabled, Hades Wave Drops 37 Malicious Python Wheels — Phoenix Security","source_url":"https://phoenix.security/miasma-azure-hades-pypi-supply-chain-worm-2026/"}]},"v":1}
    Verify offline (run on your own machine)
    python -m src.verify_decision 32e71791-1fd9-4fc3-8269-70fcac10495e
How verification works. The “Row integrity” check above is computed in your browser — your machine recomputes the SHA-256 of the canonical bytes and compares against the stored hash. No avoid.net server can fake that check. The “full verify” link goes one level deeper: your browser fetches the on-chain transaction from a Solana RPC node and confirms the same hash is in the memo. If you don’t want to trust either avoid.net or the public RPC, run the CLI verifier on your own machine — python -m src.verify_decision <event_id>.