Shai-Hulud Miasma: Inside the Compromise of Red Hat Packages

In June 2026, a significant supply chain compromise was identified in the @redhat-cloud-services npm namespace, involving 32 packages and 96 versions republished with a credential-stealing worm known as Miasma. This attack, a descendant of the Mini Shai-Hulud worm, exploited a compromised Red Hat employee's GitHub account to inject malicious code directly into Red Hat's internal repositories, bypassing code reviews. Miasma's novel approach included generating uniquely encrypted payloads for each infection, targeting cloud identities beyond static keys, and utilizing short-lived OIDC tokens for trusted publishing. The malware propagated itself by infecting software packages through stolen credentials, making it difficult to detect and prevent. The incident underscores the vulnerability of automated trust systems in open-source ecosystems, highlighting the need for real-time visibility into dependencies and robust measures to block compromised versions. Harness Supply Chain Security (SCS) offers tools to help detect and contain such threats by providing end-to-end visibility, enabling teams to quickly identify and mitigate the impact of compromised packages across their supply chain.