Jun 1
/
Latest News
New “Miasma” Supply Chain Attack Hijacks Red Hat Cloud Packages to Steal Credentials and Spread Worm
A new supply chain attack campaign known as Miasma has compromised several @redhat‑cloud‑services npm packages, using them to steal credentials from developer machines and deploy a self‑spreading worm.
Security researchers say the operation mirrors the tactics of the Mini Shai‑Hulud attacks, relying on install‑time execution, credential harvesting, CI/CD targeting, encrypted exfiltration, and downstream propagation. Attribution remains unclear, in part because TeamPCP, the group behind the original Shai‑Hulud worm, has open‑sourced its tooling, making it easier for other threat actors to replicate the techniques.
The affected packages include vulnerabilities‑client, tsc‑transform‑imports, topological‑inventory‑client, sources‑client, rule‑components, remediations‑client, and rbac‑client. Analyses from Aikido Security, JFrog, Microsoft, OX Security, ReversingLabs, SafeDep, StepSecurity, and Wiz found that the packages contained an obfuscated preinstall hook designed to harvest GitHub Actions secrets, npm tokens, cloud credentials, Kubernetes and Vault data, SSH keys, Git credentials, and other sensitive files. The malware exfiltrates the stolen data to an endpoint masquerading as api.anthropic.com and uses GitHub as a fallback channel, committing encrypted payloads to attacker‑controlled repositories.
Researchers noted that the malware avoids running on Russian‑language systems, a pattern seen in previous supply chain campaigns such as GlassWorm. It also performs actions tailored to npm environments, including exchanging OIDC tokens, repackaging tarballs, and signing artifacts through Sigstore. Public GitHub repositories created by the attacker carry the description “Miasma: The Spreading Blight,” with the first such commit appearing on May 29, 2026, suggesting the campaign has been active or in testing since then.
The malware goes further by enumerating repositories accessible to the compromised token, reading workflow files, and committing new malicious workflows using GitHub’s GraphQL API so that the changes appear as verified, signed commits. It attempts privilege escalation by launching a container that modifies sudoers configurations, checks for endpoint protection tools such as CrowdStrike, SentinelOne, Carbon Black, and StepSecurity Harden‑Runner, and establishes persistence by injecting hooks into Anthropic Claude Code and Visual Studio Code projects so the malware launches automatically during development sessions.
Wiz researchers said this variant expands its focus on cloud identities, adding collectors for GCP and Azure accounts to enumerate all identities available to the infected machine. Unlike earlier versions, Miasma generates a uniquely encrypted payload for each infection, making detection and version tracking significantly harder.
Evidence indicates the attack began with the compromise of a Red Hat employee’s GitHub account, which was used to push malicious orphan commits into RedHatInsights repositories and bypass code review. Security firms recommend isolating affected hosts, removing malicious package versions, rotating exposed credentials, reviewing GitHub and npm activity, and checking for persistence artifacts in configuration files such as ~/.claude/settings.json, .vscode/tasks.json, and .github/workflows/codeql.yml. They warn that simply uninstalling the npm package is not enough, as the malware includes background execution and developer‑tool persistence.
Organizations using CI/CD systems are urged to suspend affected workflow runs, invalidate build artifacts created during the exposure window, and review any releases or deployment artifacts generated after the malicious packages were installed. Additional intelligence from Whiteintel suggests that Red Hat GitHub credentials and session cookies appeared in infostealer logs in April and May, potentially enabling the initial compromise.
The Miasma campaign is the latest in a string of supply chain attacks targeting open‑source ecosystems in recent months, affecting projects such as Aqua Trivy, Checkmarx KICS, Bitwarden, SAP, TanStack, GitHub, and Nx Console. It follows the Megalodon campaign, which injected malicious GitHub Actions workflows to harvest CI/CD secrets and cloud credentials. CISA said the wave of incidents highlights how attackers are increasingly abusing the tools and processes that underpin enterprise cloud and DevOps environments, from CI/CD pipelines to code extensions and automation workflows.
Security researchers say the operation mirrors the tactics of the Mini Shai‑Hulud attacks, relying on install‑time execution, credential harvesting, CI/CD targeting, encrypted exfiltration, and downstream propagation. Attribution remains unclear, in part because TeamPCP, the group behind the original Shai‑Hulud worm, has open‑sourced its tooling, making it easier for other threat actors to replicate the techniques.
The affected packages include vulnerabilities‑client, tsc‑transform‑imports, topological‑inventory‑client, sources‑client, rule‑components, remediations‑client, and rbac‑client. Analyses from Aikido Security, JFrog, Microsoft, OX Security, ReversingLabs, SafeDep, StepSecurity, and Wiz found that the packages contained an obfuscated preinstall hook designed to harvest GitHub Actions secrets, npm tokens, cloud credentials, Kubernetes and Vault data, SSH keys, Git credentials, and other sensitive files. The malware exfiltrates the stolen data to an endpoint masquerading as api.anthropic.com and uses GitHub as a fallback channel, committing encrypted payloads to attacker‑controlled repositories.
Researchers noted that the malware avoids running on Russian‑language systems, a pattern seen in previous supply chain campaigns such as GlassWorm. It also performs actions tailored to npm environments, including exchanging OIDC tokens, repackaging tarballs, and signing artifacts through Sigstore. Public GitHub repositories created by the attacker carry the description “Miasma: The Spreading Blight,” with the first such commit appearing on May 29, 2026, suggesting the campaign has been active or in testing since then.
The malware goes further by enumerating repositories accessible to the compromised token, reading workflow files, and committing new malicious workflows using GitHub’s GraphQL API so that the changes appear as verified, signed commits. It attempts privilege escalation by launching a container that modifies sudoers configurations, checks for endpoint protection tools such as CrowdStrike, SentinelOne, Carbon Black, and StepSecurity Harden‑Runner, and establishes persistence by injecting hooks into Anthropic Claude Code and Visual Studio Code projects so the malware launches automatically during development sessions.
Wiz researchers said this variant expands its focus on cloud identities, adding collectors for GCP and Azure accounts to enumerate all identities available to the infected machine. Unlike earlier versions, Miasma generates a uniquely encrypted payload for each infection, making detection and version tracking significantly harder.
Evidence indicates the attack began with the compromise of a Red Hat employee’s GitHub account, which was used to push malicious orphan commits into RedHatInsights repositories and bypass code review. Security firms recommend isolating affected hosts, removing malicious package versions, rotating exposed credentials, reviewing GitHub and npm activity, and checking for persistence artifacts in configuration files such as ~/.claude/settings.json, .vscode/tasks.json, and .github/workflows/codeql.yml. They warn that simply uninstalling the npm package is not enough, as the malware includes background execution and developer‑tool persistence.
Organizations using CI/CD systems are urged to suspend affected workflow runs, invalidate build artifacts created during the exposure window, and review any releases or deployment artifacts generated after the malicious packages were installed. Additional intelligence from Whiteintel suggests that Red Hat GitHub credentials and session cookies appeared in infostealer logs in April and May, potentially enabling the initial compromise.
The Miasma campaign is the latest in a string of supply chain attacks targeting open‑source ecosystems in recent months, affecting projects such as Aqua Trivy, Checkmarx KICS, Bitwarden, SAP, TanStack, GitHub, and Nx Console. It follows the Megalodon campaign, which injected malicious GitHub Actions workflows to harvest CI/CD secrets and cloud credentials. CISA said the wave of incidents highlights how attackers are increasingly abusing the tools and processes that underpin enterprise cloud and DevOps environments, from CI/CD pipelines to code extensions and automation workflows.
Executive IT Forums, Inc.
Educational Programs on Information Technology, Governance, Risk Management, & Compliance (GRC).
Our Newsletter
Get regular updates on CPE programs, news, and more.
Thank you!
Copyright © 2026 Executive IT Forums, Inc. All Rights Reserved.
Get started
Let us introduce our school
Write your awesome label here.