The global software development community has been sent into a state of high alert by a rapidly mutating security crisis. Beginning on June 1, 2026, a highly sophisticated, self-propagating software worm named “Miasma” initiated a series of aggressive campaigns. By targeting critical registry ecosystems, source-code repositories, and modern AI development frameworks, this campaign has redefined the threat model of the npm supply chain, proving that traditional, registry-focused security boundaries are no longer enough to stop modern adversaries.
Descended from the notorious “Mini Shai-Hulud” malware lineage and attributed to the threat group TeamPCP, the Miasma worm represents a profound evolutionary leap. It does not simply steal data; it functions as an autonomous, self-replicating vector. Once it gains execution inside a developer environment, it systematically parses the host’s configuration, compromises active credentials, and automatically republishes backdoored versions of any packages managed by the victim. This creates an exponential, peer-to-peer blast radius that propagates entirely independent of any direct attacker orchestration.
Securing the npm Supply Chain Against the Miasma Onslaught
The rapid escalation of this multi-stage threat highlights a major gap in modern secure development lifecycles. Traditional software supply chain security has historically operated on a binary trust model: package managers verify code at publish time, and static scanners audit manifest files for known vulnerabilities at build time. The Miasma campaign has systematically broken this paradigm. By moving execution hooks out of typical package configurations and weaponizing the trusted workflows of developer workspaces, the threat actors have turned standard operations—like opening an IDE or compiling a project—into active vectors for host compromise.
To understand the depth of this threat, security teams must analyze the infection vectors across its three distinct, rapid-fire waves. This evolution represents a strategic shift from registry-level poisoning to native compiler exploitation, culminating in the targeting of AI-assisted coding systems.
Wave 1: Hijacked Credentials and the Red Hat Scope Compromise
The campaign began on June 1, 2026, when security researchers identified a compromise affecting 32 legitimate npm packages published under the @redhat-cloud-services namespace. The initial vector was traced back to a Red Hat employee’s GitHub account, which had its credentials exposed in commercial infostealer logs nearly seven weeks prior. This long gap between initial credential exposure and active weaponization is typical of advanced persistent threat operations, allowing actors to stage resources quietly.
Armed with direct repository push access, the attackers bypassed standard branch protections and code reviews, committing malicious code directly into upstream repositories. Crucially, the attackers did not rely on standard, long-lived npm registry tokens. Instead, they abused GitHub Actions’ OpenID Connect (OIDC) “Trusted Publishing” mechanism. By hijacking the OIDC workflow from a trusted repository, they dynamically minted short-lived npm publishing tokens. Consequently, the attackers successfully published 96 backdoored versions of Red Hat cloud-service packages, racking up more than 116,000 weekly downloads. Because the packages were built through a legitimate CI/CD pipeline, they carried authentic SLSA (Supply-chain Levels for Software Artifacts) provenance signatures, allowing the malware to bypass signature-verification checks downstream.
Wave 2: Bypassing Scanners via the “Phantom Gyp” Evasion
Within 72 hours of Wave 1’s public disclosure, the operators mutated their tactics. In their second major wave on June 3–4, the actors targeted 57 npm packages across more than 286 malicious versions. The targets expanded to include several high-traffic, developer-facing SDKs, most notably @vapi-ai/server-sdk (~408,000 monthly downloads) and ai-sdk-ollama (~120,000 monthly downloads).
To bypass the static code scanners and software composition analysis (SCA) tools that routinely monitor package.json for typical preinstall or postinstall lifecycle script hooks, the actors introduced a stealthy technique dubbed “Phantom Gyp”. Instead of modifying the package configuration, the malware drops a minimal, 157-byte binding.gyp file in the package’s root directory. This file utilizes a command-substitution expression native to the GYP build system:
<!(node index.js > /dev/null 2>&1 && echo stub.c)
When a developer runs npm install, the package manager detects the binding.gyp file and automatically invokes the node-gyp rebuild engine to compile native C/C++ addons. During compilation, the GYP engine evaluates the command substitution, executing the arbitrary Node.js script in the background. The payload executes completely before any application code imports the library, bypassing traditional install-script security tools entirely.
Wave 3: Editor Hijacking and the Microsoft Azure Takedown
On June 5, 2026, the Miasma worm bypassed registry-level package managers altogether. Leveraging a compromised contributor account, the threat actors pushed an unauthorized commit to the official, highly popular Azure/