Skip to main content

Shai-Hulud Clone ‘Miasma’ Compromises 32 Red Hat npm Packages

The threat group behind the notorious Mini Shai-Hulud worm last month put the complete source code for the malware into a GitHub repository, essentially open sourcing the threat so that other bad actors can create their own variants.

GitHub reportedly took down the repository shortly after it appeared, but the damage was already done, with multiple forks created, according to Datadog security researchers. The modular framework that the threat group, TeamPCP, put into the repository included tools for credential harvesting, supply chain poisoning, and encrypted data exfiltration aimed at developer workstations and CI/CD pipelines, increasingly popular targets for attackers.

The released source code also indicated evolving capabilities for persistence through the integration of AI agents and for stealing via Sigstore provenance.

“The open-sourcing of a production offensive framework is not unprecedented, but it’s unusual for an active campaign,” the researchers wrote in a report. “It lowers the barrier for other actors to adopt TeamPCP’s playbook, including the more sophisticated techniques like OIDC token abuse, provenance forgery, and AI tool persistence hooks.”

New Variants Arise

Such threats based on the Shai-Hulud code quickly emerged in the wild. Most recently, analysts with Aikido, Google-owned Wiz, and Orca Security this week reported that unknown hackers compromised almost three dozen Red Hat cloud services packages in the npm repository with malware, dubbed “Miasma,” that likely came from TeamPCP’s code dump.

“The payload appears to be derived from the (Mini) Shai-Hulud malware open-sourced by TeamPCP,” Wiz researchers Merav Bar and Rami McCarthy wrote in a report. “The observed modifications are largely cosmetic, with references to the Dune universe [where the name ‘Shai-Hulud’ came from] replaced by Greek mythology themes (i.e ‘spartan’), while the underlying functionality and tradecraft remain substantially similar.”

Aikido researcher Ilyas Makari wrote that “since the tooling was made publicly available, other threat actors now have access to the same techniques and can replicate or adapt them. The [32 Red Hat] packages were published via GitHub Actions OIDC, indicating the CI/CD pipeline was compromised rather than an npm token.”

Makari added that Aikido detected 96 versions across 32 packages were compromised and were cumulatively downloaded 116,991 times a week.

Compromised Employee GitHub Account

It appears that the attackers compromised the GitHub account of a specific Red Hat employee and used it to inject the Miasma malware into the packages, according to the researchers from Wiz and Aikido. The compromised account bypassed code review and pushed malicious orphan commits to two RedHatInsights repositories over two runs of activity.

“When the workflow runs, it installs Bun and executes _index.js, passing it a list of target packages via the OIDC_PACKAGES environment variable,” Aikido’s Makari wrote. “The script uses the id-token: write permission to request a short-lived OIDC token from GitHub, then uses that token to authenticate directly with npm’s trusted publishing endpoint and publish backdoored versions of every package in the list.”

He wrote that is the same “fundamental pattern” that was detected in Shai-Hulud compromises of TanStack and Bitwarden repositories. In both, the CI/CD pipeline becomes the attack surface and the OIDC-based trusted publishing – used to eliminate long-lived tokens – is the misleading trust signal. CI/CD pipelines are becoming popular targets for bad actors.

Eyes on the Cloud

Bar and McCarthy wrote that with Miasma, the focus appears to be on cloud identities. The attackers added collectors for Google Cloud Platform (GCP) and Microsoft Azure to collect all the identities the compromised systems had access to. Previous versions of the malware were designed to extract secrets, while this new one shows the attackers are interested in gaining access to the cloud itself.

“In addition, the malware now generates a uniquely encrypted payload for each infection, making hash-based IOCs [indicators of compromise] useful only for a specific package version,” they wrote. “Unlike previous variants that simply copied themselves, this approach makes detection and version tracking significantly more difficult.”

A Wide Range of Targets

Orca Security researchers wrote that each package version has a broad range of targets, including GitHub Actions tokens, Amazon Web Services (AWS) access keys and session tokens, GCP app default credentials and service account keys, Azure service principal credentials and managed identity tokens, HashiCorp Vault tokens, Kubernetes service accounts and kubeconfig files.

They also look for npm and PyPI publish tokens, SSH private keys, Docker registry credentials, GPG keys, and all .env files.

“The malware generates uniquely encrypted payloads per infection, making hash-based IOC detection difficult,” they wrote. “The worm’s self-propagating nature means that stolen tokens can be used to compromise additional packages and repositories, creating a cascading supply-chain effect.”

Organizations Need to Take Action

They added that the packages averaged about 80,000 downloads a week, and that Red Hat confirmed that none of its products or enterprise software were built or shipped with the compromised versions. Version pinning by Red Hat engineers prevented the contamination of products.

“The primary risk is to downstream open-source consumers and organizations using these packages directly in their frontend applications, CI/CD pipelines, and build systems,” they said.

Orca recommended that organizations that installed any compromised versions should audit their dependencies and treat all CI secrets, cloud credentials, npm tokens, and any other secrets that could be stolen as compromised. They also should rotate affected credentials, remove the compromised packages, or pin to a version known to be safe.



from DevOps.com https://ift.tt/HJf4nKw
Labels:

Comments

Post a Comment

Popular posts from this blog

Cursor’s New SDK Turns AI Coding Agents Into Deployable Infrastructure

For most of its life, Cursor has been an IDE. A very good one. But with the public beta of the Cursor SDK, the company is making a different kind of move — one that should get the attention of DevOps teams. The Cursor SDK is a TypeScript library that gives engineers programmatic access to the same runtime, models, and agent harness that power Cursor’s desktop app, CLI, and web interface. In short, the agents that used to live inside an editor can now be invoked from anywhere in your stack. That’s a meaningful shift in how AI coding tools fit into software delivery pipelines. From the Editor to the Pipeline If you’ve used Cursor before, the workflow is familiar — you interact with an agent in real time, asking it to write functions, fix bugs, or review code. The SDK breaks that dependency on interactive use. Now you can call those same agents programmatically, from a CI/CD trigger, a backend service, or embedded inside another tool. Getting started is a single inst...
Post a Comment
Read more

Mistral Moves Coding Agents to the Cloud — and Gets Out of Your Way

For the past year or so, AI coding agents have been tethered to your local machine. You kick off a task, watch the terminal, and babysit every step. It works — but it’s not exactly hands-free. Mistral just changed that. On April 29, the Paris-based AI company announced remote coding agents for its Vibe platform, powered by a new model called Mistral Medium 3.5. The idea is simple: Instead of running coding sessions on your laptop, they now run in the cloud — asynchronously, in parallel, and without you watching over them. What’s Actually New Coding sessions can now work through long tasks while you’re away. Many can run in parallel, and you no longer become the bottleneck at every step the agent takes. That’s the core pitch. You start a task from the Mistral Vibe CLI or directly from Le Chat — Mistral’s AI assistant — and the agent handles the rest. When it’s done, it opens a pull request on GitHub and notifies you, so you review the result inste...
Post a Comment
Read more

Documentation is Dead. Long Live Documentation.

I’m going to say something that will make every engineering manager uncomfortable: Stop asking your team to write documentation . Not because documentation doesn’t matter. It matters more than ever. But because asking humans to document their work after they’ve done it is a process that has failed consistently for thirty years, and no amount of “definition of done” checklists or documentation sprints is going to fix it. The people who know the most write the least. The docs that get written are stale within weeks. And the knowledge that matters most — the decisions, the gotchas, the “why” behind the code — rarely makes it into a document because it’s not the kind of thing you sit down and write. The Documentation Death Spiral I’ve watched this cycle play out on every team I’ve been part of: Week 1: “We need to document this.” Everyone agrees. Someone creates a Confluence space. Week 4: A few pages exist. They’re pretty good. Written by the one person who cares about docs. Week...
Post a Comment
Read more