Jun 1
/
Latest News
New “Miasma” Supply Chain Attack Hijacks Red Hat Cloud Packages to Steal Credentials and Spread Worm
A new supply chain attack campaign known as Miasma has compromised several @redhat‑cloud‑services npm packages, using them to steal credentials from developer machines and deploy a self‑spreading worm.
Security researchers say the operation mirrors the tactics of the Mini Shai‑Hulud attacks, relying on install‑time execution, credential harvesting, CI/CD targeting, encrypted exfiltration, and downstream propagation. Attribution remains unclear, in part because TeamPCP, the group behind the original Shai‑Hulud worm, has open‑sourced its tooling, making it easier for other threat actors to replicate the techniques.
The affected packages include vulnerabilities‑client, tsc‑transform‑imports, topological‑inventory‑client, sources‑client, rule‑components, remediations‑client, and rbac‑client. Analyses from Aikido Security, JFrog, Microsoft, OX Security, ReversingLabs, SafeDep, StepSecurity, and Wiz found that the packages contained an obfuscated preinstall hook designed to harvest GitHub Actions secrets, npm tokens, cloud credentials, Kubernetes and Vault data, SSH keys, Git credentials, and other sensitive files. The malware exfiltrates the stolen data to an endpoint masquerading as api.anthropic.com and uses GitHub as a fallback channel, committing encrypted payloads to attacker‑controlled repositories.
Researchers noted that the malware avoids running on Russian‑language systems, a pattern seen in previous supply chain campaigns such as GlassWorm. It also performs actions tailored to npm environments, including exchanging OIDC tokens, repackaging tarballs, and signing artifacts through Sigstore. Public GitHub repositories created by the attacker carry the description “Miasma: The Spreading Blight,” with the first such commit appearing on May 29, 2026, suggesting the campaign has been active or in testing since then.
The malware goes further by enumerating repositories accessible to the compromised token, reading workflow files, and committing new malicious workflows using GitHub’s GraphQL API so that the changes appear as verified, signed commits. It attempts privilege escalation by launching a container that modifies sudoers configurations, checks for endpoint protection tools such as CrowdStrike, SentinelOne, Carbon Black, and StepSecurity Harden‑Runner, and establishes persistence by injecting hooks into Anthropic Claude Code and Visual Studio Code projects so the malware launches automatically during development sessions.
Wiz researchers said this variant expands its focus on cloud identities, adding collectors for GCP and Azure accounts to enumerate all identities available to the infected machine. Unlike earlier versions, Miasma generates a uniquely encrypted payload for each infection, making detection and version tracking significantly harder.
Evidence indicates the attack began with the compromise of a Red Hat employee’s GitHub account, which was used to push malicious orphan commits into RedHatInsights repositories and bypass code review. Security firms recommend isolating affected hosts, removing malicious package versions, rotating exposed credentials, reviewing GitHub and npm activity, and checking for persistence artifacts in configuration files such as ~/.claude/settings.json, .vscode/tasks.json, and .github/workflows/codeql.yml. They warn that simply uninstalling the npm package is not enough, as the malware includes background execution and developer‑tool persistence.
Organizations using CI/CD systems are urged to suspend affected workflow runs, invalidate build artifacts created during the exposure window, and review any releases or deployment artifacts generated after the malicious packages were installed. Additional intelligence from Whiteintel suggests that Red Hat GitHub credentials and session cookies appeared in infostealer logs in April and May, potentially enabling the initial compromise.
The Miasma campaign is the latest in a string of supply chain attacks targeting open‑source ecosystems in recent months, affecting projects such as Aqua Trivy, Checkmarx KICS, Bitwarden, SAP, TanStack, GitHub, and Nx Console. It follows the Megalodon campaign, which injected malicious GitHub Actions workflows to harvest CI/CD secrets and cloud credentials. CISA said the wave of incidents highlights how attackers are increasingly abusing the tools and processes that underpin enterprise cloud and DevOps environments, from CI/CD pipelines to code extensions and automation workflows.
Security researchers say the operation mirrors the tactics of the Mini Shai‑Hulud attacks, relying on install‑time execution, credential harvesting, CI/CD targeting, encrypted exfiltration, and downstream propagation. Attribution remains unclear, in part because TeamPCP, the group behind the original Shai‑Hulud worm, has open‑sourced its tooling, making it easier for other threat actors to replicate the techniques.
The affected packages include vulnerabilities‑client, tsc‑transform‑imports, topological‑inventory‑client, sources‑client, rule‑components, remediations‑client, and rbac‑client. Analyses from Aikido Security, JFrog, Microsoft, OX Security, ReversingLabs, SafeDep, StepSecurity, and Wiz found that the packages contained an obfuscated preinstall hook designed to harvest GitHub Actions secrets, npm tokens, cloud credentials, Kubernetes and Vault data, SSH keys, Git credentials, and other sensitive files. The malware exfiltrates the stolen data to an endpoint masquerading as api.anthropic.com and uses GitHub as a fallback channel, committing encrypted payloads to attacker‑controlled repositories.
Researchers noted that the malware avoids running on Russian‑language systems, a pattern seen in previous supply chain campaigns such as GlassWorm. It also performs actions tailored to npm environments, including exchanging OIDC tokens, repackaging tarballs, and signing artifacts through Sigstore. Public GitHub repositories created by the attacker carry the description “Miasma: The Spreading Blight,” with the first such commit appearing on May 29, 2026, suggesting the campaign has been active or in testing since then.
The malware goes further by enumerating repositories accessible to the compromised token, reading workflow files, and committing new malicious workflows using GitHub’s GraphQL API so that the changes appear as verified, signed commits. It attempts privilege escalation by launching a container that modifies sudoers configurations, checks for endpoint protection tools such as CrowdStrike, SentinelOne, Carbon Black, and StepSecurity Harden‑Runner, and establishes persistence by injecting hooks into Anthropic Claude Code and Visual Studio Code projects so the malware launches automatically during development sessions.
Wiz researchers said this variant expands its focus on cloud identities, adding collectors for GCP and Azure accounts to enumerate all identities available to the infected machine. Unlike earlier versions, Miasma generates a uniquely encrypted payload for each infection, making detection and version tracking significantly harder.
Evidence indicates the attack began with the compromise of a Red Hat employee’s GitHub account, which was used to push malicious orphan commits into RedHatInsights repositories and bypass code review. Security firms recommend isolating affected hosts, removing malicious package versions, rotating exposed credentials, reviewing GitHub and npm activity, and checking for persistence artifacts in configuration files such as ~/.claude/settings.json, .vscode/tasks.json, and .github/workflows/codeql.yml. They warn that simply uninstalling the npm package is not enough, as the malware includes background execution and developer‑tool persistence.
Organizations using CI/CD systems are urged to suspend affected workflow runs, invalidate build artifacts created during the exposure window, and review any releases or deployment artifacts generated after the malicious packages were installed. Additional intelligence from Whiteintel suggests that Red Hat GitHub credentials and session cookies appeared in infostealer logs in April and May, potentially enabling the initial compromise.
The Miasma campaign is the latest in a string of supply chain attacks targeting open‑source ecosystems in recent months, affecting projects such as Aqua Trivy, Checkmarx KICS, Bitwarden, SAP, TanStack, GitHub, and Nx Console. It follows the Megalodon campaign, which injected malicious GitHub Actions workflows to harvest CI/CD secrets and cloud credentials. CISA said the wave of incidents highlights how attackers are increasingly abusing the tools and processes that underpin enterprise cloud and DevOps environments, from CI/CD pipelines to code extensions and automation workflows.
The report shows that regulated data dominates exposure incidents, accounting for 59% of all policy violations across AI and personal cloud applications. Source code makes up 15%, intellectual property 13%, and passwords and API keys 12%. The trend suggests that compliance-sensitive information is the material most frequently pushed into AI tools or personal cloud accounts in ways that trigger data loss prevention controls.
Europe’s preferred AI tools also diverge from global patterns. ChatGPT remains the most widely used service in the region, with Anthropic’s Claude taking second place ahead of Google Gemini. That ranking reverses the global order, where Gemini typically sits above Claude. Mistral’s Le Chat, developed in France, also appears prominently in European usage. Claude’s adoption surged in September 2025, when its growth curve steepened and pushed it past Gemini. ChatGPT maintained its lead throughout the year, and Microsoft Copilot held steady across the region.
Organizations are also blocking certain AI applications over privacy and data-handling concerns. Particular Audience tops the blocked list at 44%, followed by ZeroGPT at 37% and DeepSeek at 36%. These restrictions reflect unease around how some services process, personalize, and retain user data. In heavily regulated industries, companies often apply broad category-level blocks in addition to targeting specific apps.
The report highlights that attackers are increasingly blending into trusted cloud ecosystems. Malware distribution in Europe frequently relies on reputable platforms such as GitHub and Microsoft OneDrive, which benefit from user trust and can slip past URL-based filtering. The widespread use of personal cloud applications inside corporate networks further complicates security, as employees move files between personal and work environments, creating additional opportunities for exposure.
Netskope’s analysis suggests that European organizations have made significant progress in building guardrails around AI, particularly by shifting users away from personal accounts and into managed platforms. The remaining challenges center on the 15% of workers who still toggle between personal and enterprise AI accounts, the AI features embedded in everyday tools that operate outside the visibility of many security programs, and the steady flow of malicious files arriving through trusted cloud services.
The report recommends pairing data loss prevention controls with application-specific governance, noting that regulated data violations now span both AI tools and personal cloud applications, and that the boundary between these categories continues to blur as AI becomes a default layer in modern productivity software.
Europe’s preferred AI tools also diverge from global patterns. ChatGPT remains the most widely used service in the region, with Anthropic’s Claude taking second place ahead of Google Gemini. That ranking reverses the global order, where Gemini typically sits above Claude. Mistral’s Le Chat, developed in France, also appears prominently in European usage. Claude’s adoption surged in September 2025, when its growth curve steepened and pushed it past Gemini. ChatGPT maintained its lead throughout the year, and Microsoft Copilot held steady across the region.
Organizations are also blocking certain AI applications over privacy and data-handling concerns. Particular Audience tops the blocked list at 44%, followed by ZeroGPT at 37% and DeepSeek at 36%. These restrictions reflect unease around how some services process, personalize, and retain user data. In heavily regulated industries, companies often apply broad category-level blocks in addition to targeting specific apps.
The report highlights that attackers are increasingly blending into trusted cloud ecosystems. Malware distribution in Europe frequently relies on reputable platforms such as GitHub and Microsoft OneDrive, which benefit from user trust and can slip past URL-based filtering. The widespread use of personal cloud applications inside corporate networks further complicates security, as employees move files between personal and work environments, creating additional opportunities for exposure.
Netskope’s analysis suggests that European organizations have made significant progress in building guardrails around AI, particularly by shifting users away from personal accounts and into managed platforms. The remaining challenges center on the 15% of workers who still toggle between personal and enterprise AI accounts, the AI features embedded in everyday tools that operate outside the visibility of many security programs, and the steady flow of malicious files arriving through trusted cloud services.
The report recommends pairing data loss prevention controls with application-specific governance, noting that regulated data violations now span both AI tools and personal cloud applications, and that the boundary between these categories continues to blur as AI becomes a default layer in modern productivity software.
Executive IT Forums, Inc.
Educational Programs on Information Technology, Governance, Risk Management, & Compliance (GRC).
Our Newsletter
Get regular updates on CPE programs, news, and more.
Thank you!
Copyright © 2026 Executive IT Forums, Inc. All Rights Reserved.
Get started
Let us introduce our school
Write your awesome label here.