Three Waves in Five Days
On June 1, 2026, 96 malicious versions appeared in the @redhat-cloud-services npm namespace in two bursts — 10:53 UTC and 13:44 UTC. Each package contained a 4.2 MB obfuscated payload triggered by an npm preinstall hook. Once running, it swept GitHub tokens, cloud credentials, and CI/CD secrets from the developer's environment. Then it used the stolen npm OIDC tokens to republish itself across every other package the victim maintains.
Wave two hit on June 3. Fifty-seven more packages — 647,204 monthly downloads combined — were compromised using lifecycle hooks and binding.gyp, a technique that bypassed every scanner watching package.json for suspicious scripts. Wave three arrived June 5: Microsoft disabled 73 Azure GitHub repositories after the worm propagated through AI coding tool integrations, exfiltrating AWS, Azure, and GCP credentials.
Built from Open-Sourced Worm Code
Miasma is built on the Mini Shai-Hulud code base that TeamPCP open-sourced on May 12, 2026. The original Shai-Hulud family — tracked by WebPulse since early 2026 — was the first self-propagating supply chain worm to target npm and PyPI. When its source code was published, security researchers warned that variants would follow. Miasma arrived 20 days later.
The open-sourcing of worm code is a tactical escalation. Previous supply chain campaigns required sophisticated attackers who understood package registry authentication, OIDC token flows, and npm lifecycle hooks. Now the blueprint is public. Miasma's operators did not need to innovate — they forked, customized the payload for credential harvesting, and deployed across a trusted namespace.
Zero CVEs, Maximum Damage
No CVE exists for any artifact in the Miasma campaign. Not for the worm itself, not for the compromised packages, not for the credential exfiltration payload. Phoenix Security's malware intelligence corpus documents 59 supply chain campaigns and 657 malicious package indicators across 2026 — all with zero CVEs. The vulnerability tracking system designed for software bugs cannot represent malware injected through trust chains.
This is the fundamental gap in WordPress's plugin security model and npm's package security model alike. CVE counts measure known software vulnerabilities. Supply chain worms exploit trust relationships — maintainer credentials, OIDC tokens, preinstall hooks — that are features of the ecosystem, not bugs. WebPulse's supply chain scoring dimension captures what CVE counts miss: the depth, breadth, and trust structure of each framework's dependency graph.
Framework Exposure
The 73 disabled Microsoft repos included Azure SDK components, developer tools, and infrastructure libraries. Any project depending on those packages — Next.js applications, Express APIs, NestJS services — was exposed to credential theft during the window between compromise and takedown. The npm ecosystem's flat dependency graph means a single compromised package can affect thousands of downstream projects.
Frameworks with minimal npm exposure — Hugo (single Go binary), Astro (minimal dependencies with lockfile integrity), Eleventy (lightweight dependency tree) — had zero exposure to all three Miasma waves. The frameworks that depend on deep npm supply chains — Next.js, Nuxt, Angular — inherit the trust assumptions of every package in their tree. When those trust assumptions break, the blast radius is measured in disabled repositories.
