The Mini Shai-Hulud codebase that hit TanStack and OpenAI last week is now operating inside Red Hat’s official npm namespace. The worm variant, now tracked as Miasma, compromised 32 packages under @redhat-cloud-services with 96 poisoned versions and approximately 117,000 weekly downloads. The mechanism was familiar: a stolen Red Hat employee GitHub account pushed orphan commits that bypassed code review entirely. The result is not.

As noted in Monday’s brief, TeamPCP’s Mini Shai-Hulud campaign targeted independent npm and PyPI packages through week 10. Those packages carry a calibrated trust level in most environments; developers who install them are usually doing something bespoke. @redhat-cloud-services is a different category. Enterprise CI/CD pipelines, container build systems, and platform engineering toolchains treat it as a first-party source. Compromising it does not require targeting individual organizations. The targeting becomes automatic.

The Attribution Problem TeamPCP Created for Itself

The Miasma attribution question matters more than it normally would. After the initial Mini Shai-Hulud campaign, TeamPCP publicly released the worm’s source code. That is not typical threat-actor behavior, and it is worth understanding as a deliberate tactical choice. The release converts a proprietary campaign tool into open-source attack infrastructure. Anyone who can steal a developer credential now has access to a production-ready credential-stealing worm with a demonstrated track record of bypassing npm registry signature detection.

The forensic consequence: TTPs that look like TeamPCP may not be TeamPCP. Incident responders attributing Miasma infections solely to the known group are likely undercounting the actual operator population. The open-source release may have been a calculated move to generate attribution noise, or it may have been a mistake. Either way, the worm is now a commodity.

The credential theft vector underlying both last week’s Megalodon operation (5,718 malicious GitHub commits via infostealer-harvested developer credentials) and this week’s Miasma is a structural problem that patches do not address. Both attacks used valid, authenticated sessions to push malicious code through normal git workflows. Code review processes calibrated to catch technical errors or clearly malicious intent are not calibrated to catch commits from a valid team member’s compromised account. The trust model fails at the authentication layer, not the review layer, and most enterprise CI/CD pipelines have no compensating control for that specific failure mode.

For defenders, the practical priority is namespace-level. Anything in @redhat-cloud-services installed between the compromise window and remediation should be treated as suspect until hash verification against clean versions completes. The 96 poisoned versions span 32 packages, and the payload is credential-focused. Affected systems may have exfiltrated developer tokens, CI/CD secrets, and cloud API keys silently before any alert fired. The remediation sequence matters: identify affected package versions first, pull and rotate credentials for any system that touched them second, then address the packages. Rotating credentials after the package fix without the first step leaves an unknown extraction window unaccounted for.

When the Operator Didn’t Write the Ransomware

The second significant development since Monday demands a different analytical frame. BleepingComputer documented a ransomware toolkit where the operator used Cursor IDE and Claude Opus as persistent collaborators across multiple development stages: initial coding, payload refinement, and evasion logic revision. The finished toolkit automates Active Directory enumeration and integrates EDR-killer components as standard pre-encryption steps. This is not the “AI generated some code” story that appeared repeatedly in 2024 and 2025. It is the first confirmed case of an LLM serving as a development collaborator across an entire ransomware toolchain build.

Monday’s brief noted that Google confirmed the first AI-generated zero-day exploit in the wild, framing it as a reduction in the cognitive complexity ceiling for certain vulnerability classes. The ransomware case is the same pattern applied to toolchain development. The operator did not use AI to generate a single function; they iterated with it across a full development arc.

The practical implication for defenders is not about detecting AI-written malware. Signatures do not care who wrote the code. The implication is about what gets built. EDR evasion and Active Directory enumeration have always been components of capable ransomware operations, but integrating them as default pre-encryption steps has historically required specialized knowledge or access to commodity tooling purchased from established criminal markets. A development collaborator that refines evasion logic on iteration, validates against common detection approaches, and adjusts when outputs fail lowers the skill floor for building integrated capability from scratch. The threat is not AI ransomware. It is capable ransomware from operators who could not previously build capable ransomware.

Escalations from Monday

ShinyHunters is running concurrent extortion operations across multiple sectors rather than pivoting between targets. Three separate consumer-facing organizations disclosed incidents in the first week of June: Charter Communications (Spectrum) confirmed the group exfiltrated 4.9 million customer email addresses plus names, phone numbers, and physical addresses; Carnival Corporation notified nearly 6 million cruise customers of an account-access incident via social engineering against a single employee; and Station Casinos confirmed unauthorized access to employee account files. Monday’s brief tracked ShinyHunters at CRITICAL through week 5 following the Canvas recompromise. The new disclosures confirm parallel targeting, not sequential.

The June Android bulletin added a time-sensitive operational item. CVE-2025-48595, an integer overflow in the Android Framework confirmed under active targeted exploitation, received a CISA KEV addition on June 2 with a June 10 federal remediation deadline. That 8-day window is CISA signaling confirmed in-the-wild exploitation, not precautionary posture. CVE-2025-65018, a second Android Framework flaw enabling remote privilege escalation without user interaction, was addressed in the same bulletin. Mobile device management programs operating on monthly patch cycles are already behind this timeline.

What to Watch

Monday’s brief flagged the MiniPlasma proof-of-concept release and assessed weaponized exploit availability within one to two weeks. That window now runs June 9-16. If a working exploit materializes before Microsoft issues a permanent patch for the underlying Windows zero-day (CVE-2026-45585 remains mitigation-only with no patch calendar date), defenders will face the same unpatched-window exploitation dynamic currently playing out with Exchange CVE-2026-42897, which entered its fourth week of confirmed active exploitation this week. Two converging factors, a public PoC and no patch on the horizon, make this the highest-probability near-term escalation before the next Monday report.

Security Unlocked publishes threat intelligence and strategic analysis twice weekly. This mid-week brief covers developments from 2026-06-01 through 2026-06-04.