Miasma Supply Chain Attack Compromises Red Hat npm Packages with Credential-Stealing Worm
A new supply chain campaign codenamed Miasma has compromised official-looking @redhat-cloud-services packages on the npm registry, planting credential-stealing malware that activates the moment a developer runs npm install -- no interaction required beyond a routine dependency pull.
This is not theoretical. The malicious packages were live on the public npm registry, available to any developer or CI/CD pipeline that resolved them. The attack is modelled directly on the 2023 Shai-Hulud campaign that compromised over 4,800 npm packages, but Miasma is more targeted and more precise.
What the Malware Does
The payload executes at install time -- a classic supply chain technique that is devastatingly effective because it exploits the implicit trust developers place in their dependency tree. Once triggered, it systematically harvests npm tokens, SSH private keys, cloud provider credentials for AWS, Azure and GCP, and any environment variables containing secrets or API keys. All collected data is encrypted before exfiltration, making network-level detection significantly harder.
But credential theft is only the first stage. Miasma includes worm-like propagation capability. If a compromised developer has publish access to any npm packages, the malware can push new malicious versions of those packages, which in turn infect anyone who installs them. This creates a self-sustaining infection loop that can propagate across the ecosystem without further attacker intervention.
Why This Should Be On Your Radar
The npm ecosystem is the largest software package registry in the world, serving over 17 million developers and handling over 20 billion package downloads per week. A single compromised package with the right dependency graph can cascade across thousands of downstream projects within hours.
Red Hat Cloud Services packages are specifically targeted because they are used by enterprise developers and CI/CD pipelines with access to production infrastructure. The credentials harvested from these environments are high-value: cloud access keys, deployment tokens, service account credentials -- everything an attacker needs to move laterally into production.
What To Do
- Audit your project's dependency tree right now for any @redhat-cloud-services packages you did not explicitly add.
- Check your npm audit logs for downloads of these packages during the active window.
- Rotate any npm tokens, SSH keys, or cloud credentials that may have been exposed on developer machines or CI/CD runners.
- Implement dependency pinning and use npm ci instead of npm install in CI/CD pipelines to prevent unexpected package resolution.
- Review all packages your organisation publishes and verify no malicious versions were pushed from compromised maintainer accounts.
- Brief your team -- if any developer on your team uses Red Hat Cloud Services tooling, treat their credentials as potentially compromised.
Full analysis: https://thehackernews.com/2026/06/miasma-supply-chain-attack-compromises.html
Have you audited your dependency trees recently? What controls do you have in place for supply chain compromise?
More at https://securitycyber.uk
Mastodon: https://infosec.exchange/@securitycyber
LinkedIn: https://www.linkedin.com/in/charlie-collins-sec
Bluesky: https://bsky.app/profile/securitycyberuk.bsky.social
Substack: https://securitycyber.substack.com
Discord: https://discord.gg/securitycyber
Recommended resources to go deeper: https://www.hackthebox.com for hands-on practice, https://portswigger.net/web-security for free web security labs, and https://academy.tcm-sec.com for structured courses.
Originally published at https://securitycyber.uk
Top comments (0)