Detections
Analytics

Multiple Node.js Modules compromised in npm supply chain attack (Shai-Hulud 'Miasma') (06/01/2026)

critical Nessus Plugin ID 318388

Synopsis

The remote host has a Node.js module compromised in the Shai-Hulud 'Miasma' supply chain attack installed.

Description

The remote host has a version of one or more Node.js modules installed known to be compromised in the Shai-Hulud 'Miasma' npm supply chain attack reported on 06/01/2026. This wave compromised 32 packages (96 versions) published under the '@redhat-cloud-services' npm scope. It is tracked separately from the original Shai-Hulud and mini-Shai-Hulud campaigns because it is a copycat operation built on the open-sourced mini-Shai-Hulud malware and published through a compromised CI/CD pipeline using GitHub OIDC trusted publishing.

Each compromised package declares a 'preinstall' script that runs an obfuscated payload on every install.
The payload performs a broad credential sweep across cloud providers (AWS, GCP, Azure), CI/CD environments (GitHub Actions tokens), and developer tooling (npm and PyPI tokens, SSH and GPG keys, .env files), which is then exfiltrated.

The list of vulnerable Node.js packages this plugin checks for is up to date as of 06/01/26. However, the impact of this vulnerability is evolving and the list may become outdated if further vulnerable packages are discovered.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Solution

Update the affected node modules to a version higher than the known compromised versions.

See Also

http://www.nessus.org/u?73b9e974

http://www.nessus.org/u?95063cb5

Plugin Details

Severity: Critical

ID: 318388

File Name: npm_supply_chain_attack_miasma_shai_hulud.nasl

Version: 1.1

Type: Local

Agent: windows, macosx, unix

Family: Misc.

Published: 6/3/2026

Updated: 6/3/2026

Configuration: Enable thorough checks (optional)

Supported Sensors: Nessus Agent, Nessus

Vulnerability Information

CPE: cpe:/a:nodejs:node.js

Required KB Items: Host/nodejs/modules/enumerated

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 6/1/2026

Vulnerability Publication Date: 6/1/2026