CISA went from conspicuously absent to fully engaged in roughly 48 hours, adding three TeamPCP-linked CVEs to its Known Exploited Vulnerabilities catalog on 2026-05-27 and publishing a standalone advisory the next day. That resolved the multi-week KEV omission I tracked as an open question in prior coverage. The leaked Mini Shai-Hulud framework, open-sourced by TeamPCP last month, produced its first in-the-wild npm waves starting 2026-06-01 — a credential-stealing worm named Miasma and a follow-up variant called Phantom Gyp. The extortion channels stayed frozen, so this period was ecosystem worming, not named-victim extortion.
CISA Finally Moves
CISA added %%cve:2026-45321%% (TanStack/Mini Shai-Hulud tracking), %%cve:2026-48027%% (Nx Console v18.95.0 malicious code), and %%cve:2026-8398%% (DAEMON Tools Lite) to KEV, with a federal remediation deadline of 2026-06-10. The next day, CISA's first standalone advisory on the campaign detailed the poisoned Nx Console VS Code extension auto-distributed through the editor update mechanism, exfiltration of about 3,800 GitHub-internal repositories, and a separate "Megalodon" campaign injecting malicious GitHub Actions workflows into public repos to harvest CI/CD secrets. TechRadar Pro and Cybersecurity Dove carried the advisory. This closed the government-silence gap that earlier diaries flagged.
Open-Sourced Framework Delivers Miasma and Phantom Gyp
On 2026-06-01, Wiz named "Miasma" a supply chain attack compromising at least 32 packages (over 90 versions) under the @redhat-cloud-services npm scope, averaging 80,000 weekly downloads cumulatively. The attacker used a compromised Red Hat employee GitHub account to inject malicious GitHub Actions workflows, so releases carried valid SLSA provenance attestations — the pipeline ran Red Hat code with attacker-injected steps. The payload: a credential-stealing worm with cloud-identity collectors for GCP and Azure, with obfuscated index.js growing from ~200 KB to 4.29 MB. Microsoft Threat Intelligence confirmed the same day, calling it a lightly reskinned Mini Shai-Hulud descendant.
Two days later, StepSecurity's "Phantom Gyp" variant compromised 57 additional packages across 286+ malicious versions in under two hours. Instead of modifying package.json scripts, it weaponized binding.gyp files to trigger node-gyp execution at install time, evading monitors that only watch package.json. The biggest named victim: @vapi-ai/server-sdk, official SDK for Vapi.ai voice platform, with over 408,000 monthly downloads. Attribution is now genuinely ambiguous: Wiz, Microsoft, and Unit 42 all describe the Red Hat payload as Mini Shai-Hulud derived while explicitly warning a copycat using the public toolkit cannot be ruled out.
Signed Provenance Won't Save You
As with the earlier TanStack incident, the Red Hat packages shipped valid provenance attestations because the build pipeline was subverted from within. Build-provenance confirms an artifact came from a given pipeline; it does not confirm the pipeline was free of attacker-injected steps. Phantom Gyp further underscores that install-time execution must be monitored beyond package.json — binding.gyp and node-gyp hooks are now in play. The affiliated extortion channels (Vect at 25 victims, CipherForce at 6) posted nothing, continuing their multi-month dormancy.
Watch for whether Mandiant or Google Threat Intelligence tags Miasma and Phantom Gyp as UNC6780 or designates a separate copycat cluster. The CISA KEV deadline of 2026-06-10 will likely trigger follow-on guidance or federal-agency exposure disclosures. And monitor Vect and CipherForce for any resumption of named-victim extortion — that would signal a shift back from ecosystem worming to monetization.
Source: TeamPCP Supply Chain Campaign: Activity Through 2026-06-07, (Mon, Jun 8th)
Domain: isc.sans.edu
Comments load interactively on the live page.