On 1 June 2026, Wiz Research identified a supply chain compromise affecting multiple packages published under the @redhat-cloud-services npm namespace. Investigation revealed that at least 29 package releases contained unauthorized modifications that did not match the corresponding source repositories.
Analysis of the compromised package versions identified a common malicious payload introduced across multiple affected releases. The packages contained newly added installation-time execution mechanisms, including preinstall scripts that automatically invoked a malicious index.js file during package installation. The payloads consisted of unusually large, heavily obfuscated JavaScript files employing eval() and ROT-based decoding techniques to conceal their functionality.
The payload appears to be derived from the (Mini) Shai-Hulud malware open-sourced by TeamPCP. The observed modifications are largely cosmetic, with references to the Dune universe replaced by Greek mythology themes (i.e "spartan"), while the underlying functionality and tradecraft remain substantially similar. This variant creates repositories containing the description Miasma: The Spreading Blight.
One of the main changes in this new variant is the addition of new data collectors focused on cloud identities. Specifically, collectors for GCP and Azure identities were added that collect all identities the infected machine has access to. While previous versions of the malware primarily focused on extracting secrets from these environments, this variant suggests an increased attacker focus on gaining and leveraging access to the cloud itself.