The Blight Still Blooms: 83 Live Miasma Dead Drops — and the Victims You Can Name Without Decrypting | Intercept Cell

JFrog documented the Red Hat npm hijack. We mapped what they left behind: 83 public GitHub dead drops still live four days later, encrypted exfil you cannot read — and compromised accounts you can identify from repo ownership alone. You do not need the attacker's private key to know who got hit.

On June 1, JFrog Security Research published analysis of **Shai-Hulud — Miasma**, a supply-chain worm that hijacked dozens of packages under @redhat-cloud-services on npm. Microsoft, Sonatype, and StepSecurity followed with expanded IOC lists and a second execution path: silent binding.gyp command expansion that bypasses install-script monitoring. Those reports explain how the worm works. This dispatch maps what is still sitting in the open — and answers a question defenders keep asking wrong: **do you need to decrypt the exfil to know who got hit?** No. You do not. When primary exfiltration paths fail — or as a parallel channel — the payload creates **public GitHub repositories** using stolen victim tokens. Each repo is stamped with a campaign marker in the description: ``text\nMiasma: The Spreading Blight\n`` Stolen data lands under results/ as timestamped JSON files: