{
  "title": "Red Hat Cloud Services npm Trusted-Publishing Compromise",
  "summary": "Multiple @redhat-cloud-services npm packages were compromised on 2026-06-01 through trusted-publishing abuse tied to the Mini Shai-Hulud Miasma wave. The malicious releases added install-time payload execution, credential collection, destructive fallback behavior, and GitHub workflow tampering risk.",
  "date": "2026-06-02",
  "severity": "critical",
  "tags": [
    "npm",
    "redhat",
    "supply-chain",
    "ci-cd",
    "oidc",
    "credential-theft",
    "mini-shai-hulud"
  ],
  "sources_count": 4,
  "indicators": {
    "slug": "redhat-cloud-services-npm-miasma-compromise",
    "since": "2026-06-02T00:00:00Z",
    "until": "2026-06-02T23:59:59Z",
    "ecosystem": "npm",
    "cves": [],
    "cwes": [],
    "advisoryIds": [],
    "products": [],
    "packages": [
      "@redhat-cloud-services/patch-client@4.0.4",
      "@redhat-cloud-services/insights-client@3.0.3",
      "@redhat-cloud-services/host-inventory-client@2.0.4",
      "@redhat-cloud-services/vulnerabilities-client@2.0.3",
      "@redhat-cloud-services/vulnerabilities-client@2.0.4",
      "@redhat-cloud-services/remediations-client@4.0.3",
      "@redhat-cloud-services/sources-client@3.0.4",
      "@redhat-cloud-services/compliance-client@3.0.4",
      "@redhat-cloud-services/rbac-client@2.0.3",
      "@redhat-cloud-services/advisor-client@4.0.3",
      "@redhat-cloud-services/notifications-client@3.0.3",
      "@redhat-cloud-services/integrations-client@2.0.4",
      "@redhat-cloud-services/drift-client@3.0.3",
      "@redhat-cloud-services/content-sources-client@4.0.4",
      "@redhat-cloud-services/approval-client@2.0.3",
      "@redhat-cloud-services/topms-client@2.0.4",
      "@redhat-cloud-services/ros-client@2.0.4",
      "@redhat-cloud-services/cost-management-client@3.0.4",
      "@redhat-cloud-services/subscriptions-client@3.0.4",
      "@redhat-cloud-services/swatch-client@2.0.3",
      "@redhat-cloud-services/image-builder-client@3.0.3",
      "@redhat-cloud-services/vulnerability-client@2.0.4",
      "@redhat-cloud-services/provisioning-client@2.0.3",
      "@redhat-cloud-services/patch-advisory-client@2.0.3",
      "@redhat-cloud-services/quickstarts-client@2.0.3",
      "@redhat-cloud-services/notifications-backend-client@2.0.4",
      "@redhat-cloud-services/landing-page-frontend@2.0.3",
      "@redhat-cloud-services/frontend-components@6.0.4",
      "@redhat-cloud-services/frontend-components-utilities@4.0.4",
      "@redhat-cloud-services/frontend-components-notifications@3.0.4"
    ],
    "versions": [],
    "affectedVersions": [],
    "fixedVersions": [],
    "files": [
      "package.json",
      "package-lock.json",
      "pnpm-lock.yaml",
      "yarn.lock",
      "bun.lock",
      "index.js",
      ".github/workflows/codeql.yml"
    ],
    "paths": [
      "RedHatInsights/javascript-clients",
      ".github/workflows",
      "node_modules/@redhat-cloud-services"
    ],
    "services": [],
    "domains": [
      "registry.npmjs.org",
      "api.github.com",
      "github.com"
    ],
    "urls": [
      "https://github.com/RedHatInsights/javascript-clients"
    ],
    "ips": [],
    "hashes": [],
    "processPatterns": [
      "npm install executing lifecycle script from @redhat-cloud-services package",
      "node or bun process launched from package lifecycle hook",
      "workflow run using id-token: write and npm trusted publishing"
    ],
    "networkPatterns": [
      "GitHub API activity from developer or CI host after package install",
      "npm publish or dist-tag activity tied to trusted-publishing workflow"
    ],
    "telemetrySelectors": [
      "Miasma",
      "The Spreading Blight",
      "IfYouInvalidateThisTokenItWillNukeTheComputerOfTheOwner",
      "firedalazer",
      "chore/add-codeql-static-analysis",
      "BatchedCreateCommitOnBranch",
      "bypass_2fa",
      "Runner.Worker",
      "/proc/*/mem",
      "trusted publishing",
      "id-token: write"
    ]
  }
}