Embedded Malicious Code Affecting @redhat-cloud-services/rbac-client package, versions =9.0.3=9.0.4=9.0.6

Affected versions of this package are vulnerable to Embedded Malicious Code linked to the "Miasma" supply chain attack targeting the @redhat-cloud-services npm namespace. A malicious actor compromised the publication pipeline and published versions containing malicious code that includes a credential-stealing payload aimed at developers and CI/CD environments.

Threat Behavior

The malicious payload, which refers to itself as "Miasma," executes automatically during the npm install process through a malicious preinstall script that invokes a bundled index.js file. The payload relies on multiple layers of heavy obfuscation, employing eval() and ROT-based decoding techniques to conceal its core functionality. It is designed to act as a self-propagating worm, searching local environments for development secrets, environment variables, cloud credentials, CI/CD tokens, and npm registry tokens. Once these credentials are harvested, it attempts to republish backdoored versions of other packages accessible to the compromised account, enabling the attack to spread further through the software supply chain. Organizations that installed or built projects using affected package versions should treat all accessible secrets as compromised and rotate them immediately.

Notes:

• The malware toolkit is heavily based on the open-sourced "Mini Shai-Hulud" framework previously attributed to the threat actor group TeamPCP.

Changelog

2026-06-01 - Initial publication

2026-06-02 - Newly discovered compromised versions added

• StepSecurity Blog
• Wiz Blog