Miasma Attack Targets Red Hat npm Packages, Deploys Credential-Stealing Worm
A sophisticated supply chain attack, dubbed Miasma, has infiltrated Red Hat’s npm packages, deploying a self-propagating worm designed to steal sensitive credentials from developer systems. This campaign mirrors tactics previously associated with the Mini Shai-Hulud attacks, including execution during installation, credential harvesting, targeting of continuous integration and continuous deployment (CI/CD) pipelines, encrypted data exfiltration, and potential downstream propagation.
The exact perpetrators behind Miasma remain unidentified. The situation is further complicated by the fact that TeamPCP, a notorious cybercriminal group, has publicly released tools linked to the Shai-Hulud worm, enabling other threat actors to execute similar attacks and obscuring definitive attribution.
Several Red Hat Cloud Services packages have been compromised, including:
– @redhat-cloud-services/vulnerabilities-client
– @redhat-cloud-services/tsc-transform-imports
– @redhat-cloud-services/topological-inventory-client
– @redhat-cloud-services/sources-client
– @redhat-cloud-services/rule-components
– @redhat-cloud-services/remediations-client
– @redhat-cloud-services/rbac-client
Analyses from cybersecurity firms such as Aikido Security, JFrog, Microsoft, OX Security, SafeDep, StepSecurity, and Wiz reveal that these npm packages contain obfuscated preinstall scripts. These scripts are engineered to collect a wide array of sensitive information, including GitHub Actions secrets, npm tokens, cloud service credentials, Kubernetes and Vault data, SSH keys, and Git credentials.
Consistent with previous Mini Shai-Hulud attacks, the malware incorporates encrypted exfiltration mechanisms that transmit the harvested data to api.anthropic[.]com:443/v1/api, with GitHub serving as a fallback channel. This strategy indicates the attackers’ intent to both steal credentials and utilize them to further compromise the software supply chain.
Notably, the malware is programmed to avoid execution on systems configured for the Russian language, a tactic also observed in the GlassWorm supply chain campaigns.
The first instance of the Miasma: The Spreading Blight commit message was detected on May 29, 2026, suggesting that this variant has been active since that date or that the attackers began testing around that time.
Within GitHub environments, the malware enumerates repositories accessible by the compromised token, reads action.yml/action.yaml files via GraphQL, and commits workflows through the createCommitOnBranch mutation, making the commits appear as verified, signed changes. Additional malicious actions include:
– Attempting privilege escalation by launching containers that bind-mount the host’s /etc/sudoers.d directory, granting the CI runner passwordless sudo access.
– Checking for endpoint protection solutions from vendors like CrowdStrike, SentinelOne, Carbon Black, and StepSecurity Harden-Runner before initiating malicious activities.
– Establishing persistence by injecting SessionStart hooks into Anthropic Claude Code and modifying tasks.json files with runOn: folderOpen settings for Microsoft Visual Studio Code projects, ensuring the malware is automatically launched during each session.
A significant evolution in this variant is the addition of new data collectors focused on cloud identities, specifically targeting Google Cloud Platform (GCP) and Azure identities. This shift indicates an increased focus by attackers on gaining and leveraging access to cloud environments.
Unlike previous versions, this malware variant generates uniquely encrypted payloads for each infection, complicating detection and version tracking efforts.
Evidence suggests that the initial compromise occurred through a Red Hat employee’s GitHub account, which was used to inject the malicious payloads into these packages. The compromised account reportedly pushed malicious orphan commits to two RedHatInsights repositories, circumventing standard code review processes.
To mitigate the impact of this attack, it is recommended to:
– Isolate hosts that have installed the affected package versions.
– Remove the malicious package versions.
– Rotate any exposed credentials.
– Review systems for signs of suspicious GitHub or npm activity.
– Audit environments for persistence artifacts, including changes to configuration files such as ~/.claude/settings.json, .vscode/tasks.json, .github/workflows/codeql.yml, and .github/setup.js.
– Enforce strong access controls.
It’s important to note that due to the malware’s background execution and potential persistence mechanisms within developer tools, simply uninstalling the npm package or deleting the node_modules directory is insufficient for thorough cleanup.
For CI/CD systems, it is advisable to:
– Suspend affected workflow runs.
– Invalidate build artifacts produced during the exposure window.
– Review whether any releases, container images, npm packages, or deployment artifacts were created after the malicious package was installed.
This incident underscores the critical importance of securing software supply chains and implementing robust monitoring and response strategies to detect and mitigate such sophisticated attacks.
