Miasma / Shai Hulud Supply Chain Campaign: 100+ npm and PyPI Packages Compromised Including Red Hat Namespace

A threat cluster tracked variously as Miasma and Shai Hulud has compromised more than 100 packages across the npm and PyPI public registries by stealing publisher account credentials and injecting malicious payloads into legitimate, widely-used packages. The campaign was disclosed by Phylum Research on 14 June 2026 after automated scanning detected anomalous version publications across dozens of maintainer accounts in a compressed time window.

Significantly, the campaign includes compromise of packages within the Red Hat official npm namespace — a development with implications extending far beyond individual developer environments to enterprise build pipelines, container image construction processes, and CI/CD toolchains that consume open-source dependencies from tier-one vendor namespaces.

Scope of Compromise

The Miasma campaign shares infrastructure with activity Phylum had previously tracked under the Shai Hulud cluster name, and researchers assess with high confidence they represent the same threat actor operating under refreshed operational tooling.

Key characteristics of the compromised packages:

• Over 100 packages affected spanning npm and PyPI as of 14 June disclosure
• Payloads injected into legitimate package versions through maintainer credential compromise — not typosquatting
• The malicious code activates post-install, establishing a persistent outbound connection to attacker-controlled infrastructure
• Red Hat namespace packages affected include tooling used in enterprise Linux build and automation workflows
• Packages with download counts in the hundreds of thousands per week were targeted, maximising blast radius from each credential compromise

The malicious payload is designed to exfiltrate environment variables, installed credential files, and cloud provider configuration from the build environment — information typically including CI/CD pipeline secrets, cloud service API keys, and internal registry credentials.

Why Internal Mirror Strategies Fail Here

A common defensive recommendation for supply chain attacks is to mirror approved package versions to an internal registry, isolating developer and CI/CD environments from the public internet and preventing unapproved packages from being installed. The Miasma campaign illustrates a fundamental limitation of this control: when attacker code is injected into a legitimate publisher’s package at a version that post-dates the mirror snapshot, internal mirrors may still serve the compromised version.

Organisations that rely on tools like Nexus Repository, JFrog Artifactory, or Azure Artefacts to proxy npm and PyPI are not inherently protected if:

• The internal mirror automatically syncs the latest version of monitored packages
• The mirror was synchronised after the malicious publish but before the takedown
• The compromised version was already cached locally before the package was flagged and removed from the public registry

Internal mirrors provide meaningful security value for preventing typosquatting, dependency confusion, and lateral spread — but they do not eliminate risk from legitimate publisher credential compromise, which is the attack vector in this campaign.

Publisher Credential Compromise as Primary Vector

Phylum’s analysis indicates the attacker obtained npm and PyPI publisher credentials through a combination of credential phishing and automated scanning of public code repositories for inadvertently committed tokens and API keys. Open-source package maintainers — many of whom are individuals or small teams — often manage registry credentials with less rigour than enterprise service accounts, making them attractive targets for credential harvesting campaigns.

The compromise of Red Hat namespace packages is particularly notable because tier-one vendor namespaces typically carry implicit trust signals in enterprise security tooling. Dependency scanning tools that classify Red Hat packages as inherently trusted may suppress alerts for compromised versions that would otherwise trigger policy violations.

Recommended Actions

• Audit CI/CD pipeline build logs for the past 30 days — look for post-install hook execution from npm and pip packages, particularly packages in the affected namespaces published to Phylum’s IOC list
• Check internal mirrors immediately — determine whether compromised versions of affected packages are cached in Nexus, Artifactory, or Azure Artefacts; purge and replace with verified clean versions
• Rotate any credentials accessible from build environments — if your pipelines were running affected package versions, treat all environment variables, cloud API keys, and registry credentials accessible during affected builds as potentially compromised
• Enable registry audit logging and alert on post-install script execution in package builds — this is the primary mechanism by which compromised packages exfiltrate data, and is anomalous for most legitimate build processes
• Evaluate publisher account MFA requirements for packages consumed as critical dependencies — organisations that maintain their own packages should enforce TOTP or hardware key authentication on all registry publisher accounts
• Do not rely solely on internal mirrors as a supply chain control — pair mirroring with lockfile enforcement, hash pinning, and active monitoring of publish events for all consumed namespaces