Cybersecurity researchers have uncovered a new software supply chain attack campaign, dubbed Miasma, that compromised multiple npm packages associated with Red Hat cloud services. The campaign is designed to steal developer credentials, cloud secrets, CI/CD tokens, and other sensitive information while also attempting to spread itself further through software development environments.
Researchers say the attack shares several characteristics with previous "Mini Shai-Hulud" malware campaigns, including install-time execution, credential harvesting, encrypted data exfiltration, and mechanisms designed to compromise additional systems within the software supply chain.
Several affected packages were reportedly linked to Red Hat cloud service projects and were used by developers in enterprise environments. Once installed, the malicious packages executed hidden code before installation was completed, allowing attackers to quietly collect sensitive information from infected systems.
The malware targeted a wide range of credentials and secrets, including GitHub tokens, npm authentication tokens, cloud provider credentials, Kubernetes secrets, SSH keys, Git configuration data, and other files commonly used in software development workflows.
Researchers also found that the malware attempted to compromise CI/CD pipelines by modifying GitHub repositories and injecting malicious workflows. In some cases, the malware reportedly abused GitHub APIs to make changes that appeared as legitimate signed commits, making malicious activity harder to detect.
Another notable feature of the campaign was its focus on cloud environments. Unlike earlier variants that primarily collected secrets, this version expanded its capabilities to gather information about cloud identities and accessible resources in major cloud platforms. Researchers believe this indicates a growing attacker interest in gaining direct access to cloud infrastructure rather than simply stealing credentials.
The malware also included persistence mechanisms designed to automatically reactivate itself within developer environments. Investigators observed attempts to modify configuration files associated with development tools and code editors to ensure the malicious code would continue running during future sessions.
Security researchers suspect the campaign may have originated from a compromised developer account, allowing attackers to inject malicious code into legitimate software packages without immediately raising suspicion.
Organizations that installed affected packages are advised to remove compromised versions, rotate all potentially exposed credentials, review cloud access permissions, inspect CI/CD environments for unauthorized changes, and monitor repositories for suspicious activity.
The incident highlights the growing sophistication of software supply chain attacks, where trusted development tools and open-source ecosystems are increasingly being targeted to gain access to enterprise environments.
Cybersecurity-focused organizations like IntelligenceX continue to emphasize dependency security, credential protection, software supply chain monitoring, and proactive threat intelligence as attacks against developer ecosystems continue to evolve and expand.
Top comments (0)