The Miasma campaign marks a disturbing evolution in open-source supply chain warfare. By leveraging a stolen session cookie that circulated in underground markets for seven weeks, attackers successfully poisoned 32 Red Hat packages and compromised at least 89 npm packages across three distinct waves in June 2026.
What makes this engagement critical for your defensive posture is the technical sophistication of the payload: the attackers utilized a weaponized version of the open-source "Mini Shai-Hulud" worm to generate malicious packages that possessed valid SLSA Build Level 3 provenance attestations. This effectively neutralized the highest standard of supply-chain integrity verification for many organizations. If your reliance on SLSA Level 3 badges gave you a false sense of security, this campaign is your wake-up call.
Technical Analysis
The Attack Vector
- Initial Access: The root cause was a compromised developer session cookie, likely stolen via information-stealing malware. This credential was sold on the underground market, highlighting the commoditization of developer identities.
- The Weapon: Miasma is a self-propagating npm worm. It automates the process of cloning repositories, injecting malicious code, and publishing updates back to the registry.
- The Bypass: The attackers did not break the cryptographic signing mechanism; they hijacked the build pipeline itself. By possessing a valid session token, they could trigger official build pipelines (GitHub Actions or similar) that generated legitimate SLSA provenance for malicious artifacts.
Affected Platforms & Scope
- Platform: npm (Node Package Manager) registry.
- Victims: Red Hat, Vapi.ai, Microsoft Azure repositories.
- Impact: Organizations pulling dependencies from the npm registry between June 1 and June 5, 2026, are at risk of lateral movement, data exfiltration, or supply chain poisoning.
Exploitation Status
- Status: Confirmed Active Exploitation.
- Tooling Availability: The full weaponized toolchain for Mini Shai-Hulud was open-sourced on May 12, 2026, meaning the barrier to entry for copycat attacks is now virtually non-existent.
Detection & Response
Detecting Miasma requires moving beyond static vulnerability scanning and looking for behavioral anomalies in your build pipelines and runtime environments. Since the packages carry valid signatures, signature-based verification is ineffective. You must hunt for the behavior of the worm.
SIGMA Rules
---
title: Miasma npm Worm - Suspicious Post-Install Process Spawn
id: a1b2c3d4-5678-90ab-cdef-1234567890ab
status: experimental
description: Detects npm or node processes spawning shells (bash/sh) or other child processes during package installation, a common behavior of the Miasma worm to propagate or execute payloads.
references:
- https://www.tenable.com/blog/what-the-miasma-campaign-reveals-about-the-new-supply-chain-threat-model-and-the-underground
author: Security Arsenal
date: 2026/06/05
tags:
- attack.execution
- attack.t1059.004
- attack.supply_chain
logsource:
category: process_creation
product: linux
detection:
selection_parent:
ParentImage|endswith:
- '/npm'
- '/node'
selection_child:
Image|endswith:
- '/bash'
- '/sh'
- '/curl'
- '/wget'
condition: selection_parent and selection_child
falsepositives:
- Legitimate build scripts that require shell execution (rare in production runtime)
level: high
---
title: Miasma Campaign - npm Publish from Non-CI Workstation
id: b2c3d4e5-6789-01ab-cdef-2345678901bc
status: experimental
description: Detects execution of 'npm publish' or 'npm token' commands from a user workstation rather than a known CI/CD runner, indicating potential credential abuse.
references:
- https://www.tenable.com/blog/what-the-miasma-campaign-reveals-about-the-new-supply-chain-threat-model-and-the-underground
author: Security Arsenal
date: 2026/06/05
tags:
- attack.initial_access
- attack.t1078
logsource:
category: process_creation
product: linux
detection:
selection_cli:
CommandLine|contains:
- 'npm publish'
- 'npm token create'
- 'npm token list'
filter_ci:
Image|contains:
- '/runner/'
- '/actions/'
- '/jenkins/'
condition: selection_cli and not filter_ci
falsepositives:
- Developers manually publishing packages from local machines
level: medium
KQL (Microsoft Sentinel)
This query hunts for the behavioral indicators of the Miasma worm—specifically, the npm binary executing child processes often used for reconnaissance or C2 establishment (curl, wget) during installation routines.
DeviceProcessEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName in ("npm", "node", "npx")
| where FileName in ("sh", "bash", "curl", "wget", "python", "perl")
| project Timestamp, DeviceName, AccountName, InitiatingProcessCommandLine, FileName, CommandLine, ProcessId
| extend InstallCommand = extract(@"install\s+(.*?)\s", 1, InitiatingProcessCommandLine)
| where isnotempty(InstallCommand)
| order by Timestamp desc
Velociraptor VQL
This artifact hunts for package. files containing suspicious scripts within the node_modules directory. Miasma and similar worms often hide execution logic in preinstall or postinstall scripts.
-- Hunt for suspicious npm package scripts in node_modules
SELECT FullPath, Name, Mtime, Size
FROM glob(globs="/*/node_modules/*/package.")
WHERE read_file(filename=FullPath, length=10000) =~ '("preinstall"|"postinstall")'
AND read_file(filename=FullPath, length=10000) =~ '(http|curl|wget|eval|exec)'
Remediation Script
Use this Bash script to audit your environment. It identifies packages modified recently (within the window of the Miasma campaign or subsequent waves) and checks for script usage in installed packages.
#!/bin/bash
# Audit npm packages for Miasma indicators
echo "[*] Auditing npm packages for potential Miasma worm activity..."
# 1. Check for packages modified in the last 7 days
find node_modules -name "package." -mtime -7 -type f > /tmp/recent_packages.txt
if [ -s /tmp/recent_packages.txt ]; then
echo "[!] WARNING: Found packages modified in the last 7 days:"
cat /tmp/recent_packages.txt
else
echo "[+] No packages modified in the last 7 days."
fi
# 2. Hunt for 'preinstall' or 'postinstall' scripts that invoke external commands
echo "[*] Scanning for suspicious preinstall/postinstall scripts..."
grep -r -l -E "\"preinstall\"|\"postinstall\"" node_modules/*/package. 2>/dev/null | while read file; do
# Check if the script value contains a URL or shell command
if grep -A 2 -E "\"preinstall\"|\"postinstall\"" "$file" | grep -qE "http://|https://|curl |wget |sh |bash |exec"; then
echo "[!] SUSPICIOUS SCRIPT FOUND IN: $file"
grep -A 2 -E "\"preinstall\"|\"postinstall\"" "$file"
fi
done
echo "[*] Audit complete."
Remediation
- Immediate Token Rotation: Treat the Miasma campaign as a confirmed credential breach event. Revoke all npm session tokens and OAuth tokens associated with your developer accounts immediately. Enforce re-authentication.
- Verify Supply Chain Integrity: Do not rely solely on the presence of SLSA provenance. You must verify the source of the build. Configure your CI/CD pipelines to reject builds that do not originate from trusted, whitelisted branch heads or specific PR numbers, even if they have valid Level 3 attestations.
- Audit
package.Scripts: Review allpreinstall,postinstall, andprepackscripts in your dependencies. Legitimate packages rarely require network connectivity or shell execution during installation. - Network Segmentation for Build Runners: Restrict outbound internet access from CI/CD build runners to only necessary endpoints (e.g., npm registry, git provider). This blocks the worm's ability to exfiltrate data or beacon to C2 servers during the build process.
- Dependency Pinning: Lock your
package-lock.files and do not automatically update dependencies without manual review of the diff.
Related Resources
Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.