Miasma Supply Chain Attack: Credential-Stealing Worm Compromises Red Hat npm Packages

Attack Overview and Attribution

A new supply chain attack campaign dubbed Miasma has successfully compromised seven @redhat-cloud-services npm packages, delivering a credential-stealing worm to developer machines. Socket researchers identified the campaign as a Mini Shai-Hulud variant that executes at install-time, harvests credentials, targets CI/CD pipelines, and maintains encrypted exfiltration channels with self-propagation capabilities.

Attribution remains uncertain despite the technical similarities to previous Shai-Hulud operations. TeamPCP, the cybercrime group originally linked to Shai-Hulud tooling, has open-sourced their attack framework, enabling copycat operations by other threat actors. This decision has significantly complicated attribution efforts and lowered the barrier for similar supply chain attacks.

Compromised Packages and Initial Access

The attack compromised seven packages within the Red Hat Cloud Services ecosystem: @redhat-cloud-services/vulnerabilities-client, tsc-transform-imports, topological-inventory-client, sources-client, rule-components, remediations-client, and rbac-client. Evidence indicates the breach originated from a compromised Red Hat employee GitHub account, which pushed malicious orphan commits to two RedHatInsights repositories, effectively bypassing code review processes.

The first commit containing the 'Miasma: The Spreading Blight' signature appeared on May 29, 2026, according to OX Security analysis. This timestamp represents either the campaign's active start date or the beginning of the threat actor's testing phase. The compromised account served as patient zero, providing the attacker with legitimate access to inject payloads into trusted packages.

Technical Analysis: Malware Capabilities

Analyses from eight security vendors—Aikido Security, JFrog, Microsoft, OX Security, SafeDep, StepSecurity, Wiz, and Socket—confirm the packages contain obfuscated preinstall hooks designed for comprehensive credential harvesting. The malware targets GitHub Actions secrets, npm tokens, cloud credentials (AWS, GCP, Azure), Kubernetes configurations, HashiCorp Vault material, SSH keys, Git credentials, and other sensitive files stored on developer machines.

The exfiltration mechanism uses encrypted channels to 'api.anthropic[.]com:443/v1/api' as the primary endpoint, with GitHub repositories serving as fallback infrastructure. Stolen credentials are committed to attacker-controlled public GitHub repositories, each carrying the description 'Miasma: The Spreading Blight.' The malware includes a threatening commit message pattern: 'IfYouInvalidateThisTokenItWillNukeTheComputerOfTheOwner:' to discourage incident response efforts.

A significant evolution in this variant is the addition of cloud identity collectors specifically targeting GCP and Azure environments. Where previous Shai-Hulud versions focused on extracting secrets, Miasma demonstrates increased attacker interest in gaining and leveraging direct cloud access. The malware also implements geofencing to avoid execution on Russian-language systems, a pattern previously observed in GlassWorm campaigns.

Self-Propagation and Supply Chain Weaponization

The worm's self-propagation capabilities represent the most dangerous aspect of this attack. The malware enumerates repositories where stolen tokens have write access, reads action.yml/action.yaml files via GraphQL queries, and commits malicious workflows using the createCommitOnBranch mutation. These commits appear as verified, signed changes—exploiting developer trust in code signing mechanisms.

For npm supply chain poisoning, the payload calls OIDC token exchange and whoami endpoints, repackages tarballs (updateTarball, package-updated.tgz), and signs artifacts through Sigstore infrastructure. This approach enables the malware to publish compromised packages that appear legitimate, passing standard security checks and propagating the infection downstream to other developers and organizations.

Persistence and Evasion Techniques

The malware establishes multiple persistence mechanisms targeting developer toolchains. It injects a SessionStart hook into Anthropic Claude Code configurations (~/.claude/settings.json) and creates tasks.json files with 'runOn': 'folderOpen' directives for Microsoft Visual Studio Code projects. These modifications ensure automatic malware execution during every development session, maintaining access even after initial cleanup attempts.

Before executing malicious actions, the malware performs reconnaissance to detect endpoint protection solutions from CrowdStrike, SentinelOne, Carbon Black, and StepSecurity Harden-Runner. In CI/CD environments, it attempts privilege escalation by launching containers that bind-mount the host's /etc/sudoers.d directory, granting the CI runner passwordless sudo access for expanded system control.

A critical detection evasion feature distinguishes this variant from predecessors: unique encrypted payloads generated per infection. This approach significantly complicates signature-based detection, version tracking, and incident scoping efforts. Each compromised system receives a slightly different malware variant, preventing simple hash-based blocking and requiring behavioral detection capabilities.

Incident Response Requirements

Organizations that installed affected package versions must implement comprehensive remediation beyond standard package removal. Immediate actions include: isolate all exposed hosts from network access, remove malicious package versions, rotate all potentially exposed credentials (cloud keys, npm tokens, GitHub PATs, SSH keys, service account credentials), and audit environments for persistence artifacts in developer tool configurations.

For CI/CD systems, suspend affected workflow runs immediately. Invalidate all build artifacts produced during the exposure window—this includes releases, container images, npm packages, and deployment artifacts created after malicious package installation. Review GitHub and npm activity logs for suspicious commits, package publishes, or workflow modifications that could indicate successful propagation.

Socket researchers emphasize that uninstalling the npm package or deleting node_modules directories does not constitute sufficient cleanup due to background execution mechanisms and developer tool persistence. Full system rebuilds may be necessary for high-value development environments or systems with access to production credentials.

Strategic Implications

The Miasma campaign demonstrates how open-sourcing sophisticated attack tools creates a force multiplier effect for supply chain threats. TeamPCP's decision to release Shai-Hulud tooling has enabled threat actors with varying skill levels to execute advanced supply chain attacks, increasing the frequency and diversity of these incidents while making attribution nearly impossible.

The compromise of a Red Hat employee account to inject malicious code into trusted packages underscores fundamental weaknesses in developer account security and code review processes. Organizations must implement stronger access controls including: mandatory multi-factor authentication for all developer accounts, separate privileged accounts for package publishing with limited scope, automated scanning of all commits (including orphan commits) before merge, and enhanced monitoring for unusual repository access patterns or commit behaviors.

• Deploy runtime application self-protection (RASP) or behavioral monitoring to detect install-time execution hooks
• Implement network egress filtering to block unexpected external connections from build environments
• Require code signing verification for all internal and external dependencies
• Establish air-gapped build environments for critical applications with manual artifact promotion
• Conduct regular audits of npm package maintainer access and remove unnecessary permissions
• Use dependency confusion prevention tools to detect typosquatting and namespace hijacking attempts
• Monitor for configuration file changes in developer tools as potential compromise indicators

The evolution toward cloud identity theft represents a strategic shift in attacker objectives. Where previous campaigns focused on immediate credential exfiltration, Miasma's emphasis on harvesting cloud identities with persistent access suggests longer-term compromise goals. This pattern indicates threat actors are positioning for sustained cloud environment access rather than quick credential grabs, requiring organizations to reassess their cloud identity security posture and implement zero-trust architectures with continuous verification.