Executive Summary
On 2026-06-01, researchers reported a new Mini Shai-Hulud child event affecting the @redhat-cloud-services npm scope. StepSecurity identified 31 malicious package versions across 29 packages, published through trusted publishing after an attacker compromised the RedHatInsights/javascript-clients GitHub workflow path and abused OIDC-based npm publishing [stepsecurity.io opens in a new tab].
This is not a normal vulnerable dependency advisory. It is a supply-chain publish compromise against Red Hat Cloud Services client packages that can execute during npm install. The reported payload is called Miasma, also tracked as The Spreading Blight, and it overlaps the same Mini Shai-Hulud operational pattern of CI/CD compromise, credential theft, GitHub workflow tampering, and destructive pressure after token invalidation [stepsecurity.io opens in a new tab] [ox.security opens in a new tab].
Organizations should search for affected @redhat-cloud-services/* packages in source repositories, lockfiles, package caches, build logs, CI artifacts, and container layers. Any confirmed install on a developer workstation or runner with GitHub, npm, cloud, or deployment credentials should trigger credential rotation from a clean environment.