The threat group behind the notorious Mini Shai-Hulud worm last month put the complete source code for the malware into a GitHub repository, essentially open sourcing the threat so that other bad actors can create their own variants.
GitHub reportedly took down the repository shortly after it appeared, but the damage was already done, with multiple forks created, according to Datadog security researchers. The modular framework that the threat group, TeamPCP, put into the repository included tools for credential harvesting, supply chain poisoning, and encrypted data exfiltration aimed at developer workstations and CI/CD pipelines, increasingly popular targets for attackers.
The released source code also indicated evolving capabilities for persistence through the integration of AI agents and for stealing via Sigstore provenance.
“The open-sourcing of a production offensive framework is not unprecedented, but it’s unusual for an active campaign,” the researchers wrote in a report. “It lowers the barrier for other actors to adopt TeamPCP’s playbook, including the more sophisticated techniques like OIDC token abuse, provenance forgery, and AI tool persistence hooks.”
New Variants Arise
Such threats based on the Shai-Hulud code quickly emerged in the wild. Most recently, analysts with Aikido, Google-owned Wiz, and Orca Security this week reported that unknown hackers compromised almost three dozen Red Hat cloud services packages in the npm repository with malware, dubbed “Miasma,” that likely came from TeamPCP’s code dump.
“The payload appears to be derived from the (Mini) Shai-Hulud malware open-sourced by TeamPCP,” Wiz researchers Merav Bar and Rami McCarthy wrote in a report. “The observed modifications are largely cosmetic, with references to the Dune universe [where the name ‘Shai-Hulud’ came from] replaced by Greek mythology themes (i.e ‘spartan’), while the underlying functionality and tradecraft remain substantially similar.”
Aikido researcher Ilyas Makari wrote that “since the tooling was made publicly available, other threat actors now have access to the same techniques and can replicate or adapt them. The [32 Red Hat] packages were published via GitHub Actions OIDC, indicating the CI/CD pipeline was compromised rather than an npm token.”
Makari added that Aikido detected 96 versions across 32 packages were compromised and were cumulatively downloaded 116,991 times a week.
Compromised Employee GitHub Account
It appears that the attackers compromised the GitHub account of a specific Red Hat employee and used it to inject the Miasma malware into the packages, according to the researchers from Wiz and Aikido. The compromised account bypassed code review and pushed malicious orphan commits to two RedHatInsights repositories over two runs of activity.
“When the workflow runs, it installs Bun and executes _index.js, passing it a list of target packages via the OIDC_PACKAGES environment variable,” Aikido’s Makari wrote. “The script uses the id-token: write permission to request a short-lived OIDC token from GitHub, then uses that token to authenticate directly with npm’s trusted publishing endpoint and publish backdoored versions of every package in the list.”
He wrote that is the same “fundamental pattern” that was detected in Shai-Hulud compromises of TanStack and Bitwarden repositories. In both, the CI/CD pipeline becomes the attack surface and the OIDC-based trusted publishing – used to eliminate long-lived tokens – is the misleading trust signal. CI/CD pipelines are becoming popular targets for bad actors.
Eyes on the Cloud
Bar and McCarthy wrote that with Miasma, the focus appears to be on cloud identities. The attackers added collectors for Google Cloud Platform (GCP) and Microsoft Azure to collect all the identities the compromised systems had access to. Previous versions of the malware were designed to extract secrets, while this new one shows the attackers are interested in gaining access to the cloud itself.
“In addition, the malware now generates a uniquely encrypted payload for each infection, making hash-based IOCs [indicators of compromise] useful only for a specific package version,” they wrote. “Unlike previous variants that simply copied themselves, this approach makes detection and version tracking significantly more difficult.”
A Wide Range of Targets
Orca Security researchers wrote that each package version has a broad range of targets, including GitHub Actions tokens, Amazon Web Services (AWS) access keys and session tokens, GCP app default credentials and service account keys, Azure service principal credentials and managed identity tokens, HashiCorp Vault tokens, Kubernetes service accounts and kubeconfig files.
They also look for npm and PyPI publish tokens, SSH private keys, Docker registry credentials, GPG keys, and all .env files.
“The malware generates uniquely encrypted payloads per infection, making hash-based IOC detection difficult,” they wrote. “The worm’s self-propagating nature means that stolen tokens can be used to compromise additional packages and repositories, creating a cascading supply-chain effect.”
Organizations Need to Take Action
They added that the packages averaged about 80,000 downloads a week, and that Red Hat confirmed that none of its products or enterprise software were built or shipped with the compromised versions. Version pinning by Red Hat engineers prevented the contamination of products.
“The primary risk is to downstream open-source consumers and organizations using these packages directly in their frontend applications, CI/CD pipelines, and build systems,” they said.
Orca recommended that organizations that installed any compromised versions should audit their dependencies and treat all CI secrets, cloud credentials, npm tokens, and any other secrets that could be stolen as compromised. They also should rotate affected credentials, remove the compromised packages, or pin to a version known to be safe.