Active npm supply-chain attack backdoors Claude Code and VS Code configs

A supply-chain attack campaign named Miasma, attributed to the threat group TeamPCP, compromised 32 npm packages under the `@redhat-cloud-services` namespace by exploiting a single stolen Red Hat employee GitHub login — likely obtained weeks earlier via browser-saved-password-stealing malware. With that access, the attacker pushed malicious code directly into three Red Hat repositories and triggered Red Hat's own build pipeline, meaning the poisoned packages were published to npm with valid security certificates and no known vulnerability signatures for scanners to detect. On June 1, 96 malicious versions were pushed across two waves; the first wave was flagged within hours, but downloads had already occurred.

Once installed, the malware collects credentials across AWS, Google Cloud, Azure, Kubernetes, SSH keys, GitHub tokens, and npm tokens.

Once installed, the malware collects credentials across AWS, Google Cloud, Azure, Kubernetes, SSH keys, GitHub tokens, and npm tokens. It checks for the presence of CrowdStrike and SentinelOne before acting to avoid detection, then establishes persistence by injecting code into `~/.claude/settings.json` and `.vscode/tasks.json` — both of which execute automatically when Claude Code or a VS Code project is opened. This means uninstalling the original npm package does not remove the malware. The attacker also registers victim build servers as remotely controlled machines. A deliberate destructive payload is included: if a victim rotates or revokes the attacker's credentials before removing the malware, it wipes the entire home directory and overwrites files to prevent recovery. Three days after the first wave, a second wave hit 57 more packages using a new technique that bypassed the tools that caught the first wave, with 647,000 monthly downloads affected; some malicious versions remain live on the npm registry.

The worm is self-propagating, using stolen tokens to automatically infect new packages. TeamPCP has been operating since late 2025 and has confirmed victims including GitHub (3,800 internal repos stolen, listed for sale at $50K), Mistral AI (450 repos, $25K), OpenAI (two employees), the European Commission (90+ GB exfiltrated), and Eli Lilly ($70K), among others. Across all waves, 487 confirmed organizations and nearly 300,000 secrets have been harvested. TeamPCP open-sourced the worm's source code on May 12, and copycat campaigns are already active. The Reddit post by u/johnypita links to sources from Microsoft Threat Intelligence, StepSecurity, Snyk, and Tenable, and notes cleanup steps are provided in the comments — with an explicit warning that the order of steps matters.

Key facts

1. 0132 npm packages under `@redhat-cloud-services` were compromised, with ~117,000 weekly downloads affected in the first wave on June 1.
2. 02A second wave three days later hit 57 more packages (647,000 monthly downloads) using a technique that bypassed the tools that caught the first wave.
3. 03Malware persists in `~/.claude/settings.json` and `.vscode/tasks.json`, re-executing every time Claude Code or a VS Code project is opened — surviving package uninstallation.
4. 04If a victim revokes the attacker's credentials before removing the malware, it wipes and overwrites the entire home directory to prevent file recovery.
5. 05The attacker gained initial access via one stolen Red Hat employee GitHub login, then used Red Hat's own build pipeline to publish packages with valid security certificates.
6. 06TeamPCP, active since late 2025, has 487 confirmed victim organizations and nearly 300,000 secrets harvested; confirmed victims include GitHub, Mistral AI, OpenAI employees, and the European Commission.
7. 07TeamPCP open-sourced the worm's source code on May 12; copycat campaigns are already active.

Topics