- A new supply chain attack campaign called Miasma has compromised multiple official @redhat-cloud-services npm packages.
- The malware steals credentials and secrets from developer machines to deliver a self-propagating worm.
- Evidence suggests a Red Hat employee’s GitHub account was the initial point of compromise used to inject the malicious code.
A new Mini Shai-Hulud supply chain attack campaign, codenamed Miasma, has compromised several official @redhat-cloud-services npm packages to steal credentials and deliver a worm. According to Socket, this campaign utilizes the same core tactics of install-time execution and credential harvesting seen in previous attacks.
The malware contains an obfuscated preinstall hook designed to collect a wide range of sensitive data. Per analyses from Aikido Security, JFrog, and others, this includes GitHub Actions secrets, npm tokens, cloud credentials, and SSH keys.
Consequently, the attack encrypts and exfiltrates stolen data to an external domain. As SafeDep noted, stolen credentials are sent to attacker-created public GitHub repositories.
Furthermore, the malware establishes persistence by injecting hooks into developer tools like Claude Code and Visual Studio Code. It also attempts to escalate privileges by launching containers that modify the host system.
Attribution is currently difficult because the related attack tools have been open-sourced. This allows other threat actors to conduct similar operations.
Evidence suggests the compromise began with a Red Hat employee’s GitHub account. The account was used to push malicious commits directly into repositories.
Security researchers recommend isolating affected hosts and rotating all exposed credentials immediately. They also advise reviewing GitHub and npm activity for any signs of compromise.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
