What started as a coordinated attack on the @antv npm namespace is now something bigger. The Mini Shai-Hulud campaign has a second wave. On June 1, 2026, researchers at Aikido and OX Security confirmed that 32 packages and 96 package versions under Red Hat's @redhat-cloud-services namespace had been backdoored with a new variant of the same malware, now called Miasma. The payload is structurally identical. The technique is different. And the reason it's different matters.
TeamPCP publicly released the Mini Shai-Hulud source code in May. Miasma appears to be a fork. This campaign is no longer one group running one operation. The attack pattern is now available to anyone who wants to copy it.
Here is what happened across both waves, what the techniques tell us, and what security teams need to understand before the next fork appears.
What actually happened
Wave 1: The @antv campaign
In May 2026, Socket researchers identified a coordinated supply chain attack across 323 unique npm packages, with the bulk of activity concentrated in the @antv namespace, a widely used data visualization library with millions of weekly downloads. The same operation also compromised GitHub Actions workflows and a VS Code extension: Nx Console, which had more than 8 million installs.
Attackers compromised a trusted maintainer's npm publish token and used it to push backdoored versions of package after package. Each poisoned release contained a malicious preinstall hook. When a developer ran npm install, the hook executed automatically, before any code review, before any runtime detection, before anything.
The payload then ran silently in the background, harvesting credentials from every environment it touched: AWS keys, GitHub tokens, Kubernetes configs, HashiCorp Vault tokens, cloud service credentials, and .env files. Stolen credentials were exfiltrated through attacker-controlled GitHub repositories and a fallback server, a pattern previously linked to TeamPCP.
The Nx Console compromise deserves separate attention. It was live for 11 minutes. In that window, the malware reached specifically for GitHub tokens, AWS credentials, Kubernetes configs, HashiCorp Vault tokens, and Claude Code credentials. It installed a persistent backdoor and attempted to forge SLSA provenance to poison downstream builds.
The malware targeted Claude Code's configuration files directly: ~/.claude/settings.json and ~/.claude/mcp.json. It installed a persistence hook that re-executes the credential stealer every time a Claude Code session starts. As Vorlon CEO Amir Khayat noted in SC World, this is the first documented supply chain payload designed specifically to harvest AI tool credentials and MCP server configurations. It will not be the last.
Wave 2: The Red Hat namespace and Miasma
On June 1, researchers confirmed a second wave. This time the target was the @redhat-cloud-services namespace, 32 packages and 96 backdoored versions. The payload, Miasma, sweeps the same credential types: GitHub Actions secrets, AWS, GCP, Azure, Vault tokens, Kubernetes configs, npm and PyPI publishing tokens, SSH keys, Docker credentials, GPG keys, and .env files.
The delivery mechanism changed. Attackers did not steal a registry token this time. They compromised a Red Hat employee's GitHub account and used it to push a malicious workflow. That workflow abused the id-token: write permission to request a short-lived OIDC token from GitHub, then used that token to authenticate directly with npm's trusted publishing endpoint and publish the backdoored versions.
The publishing mechanism itself became the attack surface. No stolen token required.
Red Hat removed the affected packages immediately after discovery. But the OIDC token abuse technique is now documented in a live attack, and the source code that made it possible is publicly available.
The 323 packages are not the breach
The package count is the distribution channel, not the damage metric.
As Amir Khayat put it: "The 323 packages is not the breach. It's the blast radius of one stolen maintainer token. And the packages with millions of weekly downloads are not the target. They are the distribution channel. The target is every developer environment that runs npm install."
Every developer machine that ran npm install on a compromised version is a potential credential source. Every CI/CD pipeline that installed a backdoored package is a potential pivot point. The credential chain attack does not stop at the npm registry. It starts there.
Why GitHub Actions is the real target
The actions-cool/issues-helper compromise is the part of this campaign that most security teams have underweighted.
GitHub Actions runners hold secrets in memory during pipeline execution: cloud credentials, registry tokens, API keys, deployment secrets. Most organizations have no behavioral monitoring on those runners. The Shai-Hulud worm reads from process memory directly, including values that are masked in logs.
Khayat's framing is on point: "A GitHub Actions workflow is not a script. It's a privileged identity with access to your entire deployment pipeline. Most organizations govern it like a configuration file."
The Wave 2 OIDC token abuse reinforces this. The attacker did not need a long-lived credential. A short-lived token generated by a compromised workflow was enough to publish to npm as a trusted publisher. Short-lived does not mean low-risk when the pipeline generating it has already been compromised.
The source code is public
TeamPCP released the Mini Shai-Hulud source code in May. Miasma is, at minimum, a structural fork. Whether the Red Hat campaign was run by TeamPCP or by a separate actor using the leaked code is not confirmed. It does not change the operational reality.
The attack pattern is now documented and reproducible: compromise a trusted development artifact, inject a credential-harvesting payload via a preinstall hook or workflow, exfiltrate through GitHub or a fallback server, use harvested credentials to pivot to the next target. Any actor with the motivation and minimal technical capability can run a variant of this campaign.
This is not a single-group threat anymore. It is a reusable attack framework.
The AI tooling angle has not gone away
Miasma did not target AI tool credentials the way the Nx Console payload did. That is not a signal that the threat has moved on. The original Wave 1 payload demonstrated that AI coding assistant configuration files are a viable exfiltration target. MCP server configurations hold connection strings, API keys, and access patterns for every tool an agent can reach.
A persistence hook tied to an AI coding session is not a one-time credential theft. It is an ongoing exfiltration vector that reactivates every time the developer opens their AI assistant. The fact that Wave 2 did not include this technique does not mean Wave 3 will not.
Why static controls don't stop a credential chain attack
The Mini Shai-Hulud campaign exposes a structural problem: most security tools were built to audit configurations and permissions. They enforce static controls. This campaign operated entirely in the runtime integration layer, where credentials are used, tokens are minted, data moves between systems, and agents act. That layer has been largely unmonitored.
Vorlon maps the full agentic ecosystem: every agent, integration, OAuth token, API key, and non-human identity, along with the sensitive data flows between them. Vorlon builds per-entity behavioral baselines across all of them. When a token starts behaving outside its baseline, such as accessing new resources, making calls to unfamiliar endpoints, or moving data it has never touched, Vorlon detects and attributes that activity. Credential and OAuth token abuse is a named threat the platform is built to detect. So is supply chain compromise through third-party integrations.
The AI tooling angle in this campaign is also directly relevant to what Vorlon covers. The Nx Console payload targeted MCP server configurations and AI coding assistant credentials specifically. Vorlon monitors MCP server communications and the data flows between AI agents and the enterprise systems they connect to. When an agent's behavior deviates from its baseline, that deviation surfaces with the full behavioral chain, blast radius, and remediation path attached.
For teams looking to reduce their exposure before the next wave, Vorlon's inventory of non-human identities is a practical starting point. NHIs outnumber human users 50 to one in most enterprise environments. Overpermissioned tokens, tokens with no expiry, and dormant credentials that remain live long after they were last used are all visible and ranked in Vorlon's ecosystem map. What a credential-stealing campaign can harvest is directly proportional to what exists to steal.
What security teams need to do
Treat any system that installed a compromised version as fully compromised. That means rotating every credential that was present in that environment, not just the ones you can confirm were accessed.
Specific actions:
- Audit your dependency tree for any @antv, @redhat-cloud-services, or actions-cool package versions published in the affected windows
- Rotate all secrets present on any system that ran a compromised install
- Review GitHub Actions workflows for id-token: write permissions; scope them to the minimum required context
- Audit CI/CD runners for unexpected outbound connections or credential access patterns
- Check AI coding tool configuration files (~/.claude/, ~/.cursor/, equivalent paths) for unauthorized modifications or persistence hooks
- Confirm SLSA provenance on any packages installed during the affected period before trusting downstream build artifacts
The campaign is ongoing. The source code is public. The techniques are documented. The next wave will not announce itself.
For detailed technical coverage, see the SC World report and the BleepingComputer analysis of the Red Hat incident.
.png?width=329&height=222&name=blog%20451%20why%20saas%20and%20ai%20are%20converged%20(1).png)
