A sophisticated new supply chain attack campaign, codenamed Miasma, has been uncovered, significantly compromising @redhat-cloud-services npm packages. This meticulously orchestrated campaign is designed to exfiltrate a wide array of sensitive credentials and secrets from developer machines and subsequently deploy a self-propagating worm, posing a substantial threat to the broader software development ecosystem. Security researchers have identified this as a direct descendant or variant of the notorious Mini Shai-Hulud campaign, leveraging similar core tactics to achieve its malicious objectives.
Understanding the Threat: The Mini Shai-Hulud Blueprint and Miasma’s Evolution
The Miasma campaign exhibits striking similarities to the previously documented Mini Shai-Hulud attacks, a pattern that security firm Socket highlighted, stating, "This is effectively a Mini Shai-Hulud campaign: it uses the same core tactics of install-time execution, credential harvesting, CI/CD targeting, encrypted exfiltration, and potential downstream propagation." The Shai-Hulud worm, whose attack tools were infamously open-sourced by the cybercrime group TeamPCP, has enabled a wider array of threat actors to replicate and adapt its methodology. This open-sourcing complicates definitive attribution for the Miasma campaign, making it challenging to pinpoint the exact perpetrators behind this particular wave of attacks. However, the sophistication and targeted nature suggest a well-resourced and highly skilled adversary.
Supply chain attacks, like Miasma, exploit the trust inherent in software development processes. Instead of directly attacking a target organization, attackers compromise a component or dependency that the target uses, allowing them to indirectly infiltrate systems. In this case, the compromise of widely used npm packages for Red Hat Cloud Services provides a potent vector for widespread infection across developer environments and build systems. This method bypasses many traditional perimeter defenses, as the malicious code is introduced through trusted channels.
Deep Dive into the Attack Vector: Compromised npm Packages
The npm registry, a vital repository for JavaScript packages, serves as a cornerstone for millions of development projects worldwide. Its ubiquity, while enabling rapid development, also presents a massive attack surface for threat actors. The Miasma campaign specifically targeted packages associated with Red Hat Cloud Services, a critical infrastructure provider for many enterprises leveraging open-source technologies. The compromised npm packages were found to contain an obfuscated preinstall hook, a script that executes automatically before the package is installed. This preinstall hook is the primary mechanism for the malware’s initial execution and subsequent malicious activities.
Once executed, the malware initiates an aggressive credential harvesting operation. Researchers from multiple security firms, including Aikido Security, JFrog, Microsoft, OX Security, SafeDep, StepSecurity, and Wiz, independently analyzed the compromised packages. Their collective findings reveal that the malware is engineered to collect a comprehensive array of sensitive information, including:
- GitHub Actions secrets: Crucial for automating workflows and deployments within GitHub repositories.
- npm tokens: Providing access to publish or modify packages on the npm registry.
- Cloud credentials: Encompassing Kubernetes and Vault material, and notably, new collectors for GCP (Google Cloud Platform) and Azure identities. This expansion indicates an increased attacker focus on gaining and leveraging direct access to cloud environments, not just extracting secrets from them.
- SSH keys: Granting secure shell access to remote servers and systems.
- Git credentials: For accessing and manipulating code repositories.
- Other sensitive files: Any data deemed valuable for further exploitation or lateral movement.
This broad scope of data collection underscores the attacker’s intent to gain deep and pervasive access to developer environments, source code repositories, and cloud infrastructure. Such access can lead to intellectual property theft, further supply chain poisoning, and extensive data breaches.
The Exfiltration Mechanism and Persistence Strategies
The exfiltrated data is not merely collected but also transmitted using a sophisticated, encrypted exfiltration logic. The primary command-and-control channel for this data transmission is api.anthropic[.]com:443/v1/api, with GitHub serving as a robust fallback mechanism. The use of GitHub as a secondary exfiltration route is particularly insidious, as it leverages a legitimate and widely trusted platform for covert communication.
In instances where GitHub is used for exfiltration, the malware commits the encrypted result envelope to attacker-controlled public GitHub repositories. These repositories are often marked with the descriptive string "Miasma: The Spreading Blight," a clear identifier of the campaign. Socket highlighted a particularly alarming aspect of this GitHub exfiltration, noting that "The commit message can include: IfYouInvalidateThisTokenItWillNukeTheComputerOfTheOwner:." This message serves as a psychological tactic, potentially deterring victims from immediately revoking compromised tokens due to fear of further damage, thereby extending the attacker’s access window.
A significant evolution in this variant, as identified by Wiz researchers, is the generation of a uniquely encrypted payload for each infection. This individualized encryption strategy significantly complicates detection efforts and makes version tracking by security analysts considerably more challenging. Each new infection presents a slightly different cryptographic signature, hindering signature-based detection systems and requiring more dynamic and behavioral analysis.
Beyond data exfiltration, the Miasma worm incorporates robust persistence mechanisms designed to ensure long-term access to compromised systems. These include background execution capabilities and developer-tool persistence mechanisms. The malware makes changes to critical configuration files, such as ~/.claude/settings.json, .vscode/tasks.json, .github/workflows/codeql.yml, and .github/setup.js. These modifications ensure that the malicious code can survive reboots, package uninstallation, or other superficial cleanup attempts, maintaining a foothold within the developer’s environment.
Chronology of Discovery and Attribution Challenges
The earliest indicators of the Miasma campaign emerged on May 29, 2026, when the distinctive "Miasma: The Spreading Blight" string first appeared in attacker-created public GitHub repositories. OX Security noted this date, suggesting either that this variant had been actively deployed since then or that the threat actor was conducting initial testing around that period. The coordinated efforts of multiple cybersecurity research firms were instrumental in rapidly identifying and analyzing the scope and tactics of this campaign. The collaborative nature of these discoveries, involving firms like Socket, Aikido Security, JFrog, Microsoft, OX Security, SafeDep, StepSecurity, and Wiz, underscores the industry’s commitment to collective defense against evolving threats.
Attribution remains a complex challenge. While the Miasma campaign shares significant tactical overlap with the original Shai-Hulud worm, the public availability of Shai-Hulud’s attack tools, courtesy of TeamPCP, allows various threat actors to deploy similar attacks. This "democratization" of advanced cyber tools makes it exceedingly difficult to definitively identify the specific group or individuals behind the Miasma operation. The threat actor could be a state-sponsored entity, an organized cybercrime syndicate, or even an independent, highly skilled group leveraging existing tools.
Patient Zero: A Compromised Red Hat Employee Account
A critical breakthrough in understanding the attack’s initial vector points to the compromise of a Red Hat employee’s GitHub account as the "patient zero" for the Miasma campaign. This high-privilege account was reportedly used to inject malicious "orphan commits" into two RedHatInsights repositories. The term "orphan commit" typically refers to a commit that doesn’t have a parent in the repository’s history, often used for initial commits in a new branch or repository. In this context, it implies a manipulation designed to bypass standard code review processes, allowing the malicious payload to be seamlessly integrated into trusted codebases without immediate detection.
The compromise of an insider account, even if unwittingly, is a potent vector for supply chain attacks. It leverages existing trust and access, enabling attackers to circumvent security controls that might otherwise flag external intrusions. This incident highlights the paramount importance of robust account security, including multi-factor authentication (MFA), least privilege principles, and continuous monitoring for anomalous activity, even for internal accounts.
Geographic Avoidance and Attack Sophistication
Adding another layer of intrigue to the Miasma campaign is the malware’s observed behavior of avoiding execution on Russian-language systems. This pattern has been noted in other sophisticated supply chain campaigns, such as GlassWorm, and often suggests potential geopolitical motivations, state-sponsored backing, or a deliberate operational security measure to avoid drawing attention from specific jurisdictions. The implications of such geo-fencing are significant for threat intelligence and understanding the adversary’s strategic objectives.
The malware’s sophistication extends to its interaction with development ecosystems. For npm, the payload calls OIDC token exchange and whoami endpoints, repackages a tarball (updateTarball, package-updated.tgz), and then cryptographically signs the artifact through Sigstore. Sigstore is an increasingly adopted standard for signing software artifacts, designed to enhance software supply chain security by verifying the origin and integrity of packages. The fact that the attackers are leveraging Sigstore for their malicious packages demonstrates a high level of technical prowess and an attempt to imbue their compromised artifacts with a false sense of legitimacy, further eroding trust in the supply chain.
On the GitHub front, the malware enumerates repositories that the stolen token can write to, reads action.yml/action.yaml via GraphQL, and then commits a workflow through the createCommitOnBranch mutation. This particular mutation ensures that the malicious commit appears as a verified, signed change within the repository, making it even harder for developers or automated systems to distinguish it from legitimate contributions. These actions underscore the attacker’s intent to not only steal credentials but also to weaponize them to propagate the worm further and maintain persistence within the development environment.
Red Hat’s Response and Remediation Efforts
While Red Hat has not released specific public statements detailed in the provided information, organizations of its stature would undoubtedly launch an immediate, comprehensive internal investigation upon discovering such a critical compromise. This would involve isolating affected systems, analyzing the extent of the breach, and collaborating with security researchers to understand the full scope of the attack.
For organizations and developers potentially affected by the Miasma campaign, immediate and thorough remediation steps are critically important. Security experts recommend the following actions:
- Isolate Affected Hosts: Any machine that has installed the compromised npm packages should be immediately disconnected from the network to prevent further lateral movement or exfiltration.
- Remove Malicious Versions: Identify and remove all instances of the malicious npm packages from development environments, build servers, and any other systems where they might have been installed.
- Rotate Exposed Credentials: All credentials and secrets identified as being targeted by the malware (GitHub Actions secrets, npm tokens, cloud credentials, SSH keys, Git credentials, etc.) must be immediately revoked and rotated. This includes invalidating existing tokens and generating new ones.
- Review for Suspicious Activity: Conduct a meticulous audit of GitHub and npm activity logs for any signs of unauthorized commits, package publications, or other anomalous behavior.
- Audit for Persistence Artifacts: Scrutinize environments for the specific configuration file changes indicative of the malware’s persistence mechanisms (
~/.claude/settings.json,.vscode/tasks.json,.github/workflows/codeql.yml,.github/setup.js). These artifacts must be removed. - Enforce Strong Access Controls: Implement and enforce strict least privilege principles, multi-factor authentication for all critical accounts, and regular access reviews.
Crucially, security firm Socket emphasized that "Because the malware includes background execution and potential developer-tool persistence mechanisms, uninstalling the npm package or deleting node_modules should not be considered sufficient cleanup." This highlights the deep-rooted nature of the infection and the need for a comprehensive eradication strategy.
For CI/CD (Continuous Integration/Continuous Delivery) systems, the remediation is even more critical:
- Suspend all affected workflow runs immediately.
- Invalidate any build artifacts produced during the exposure window, as these might contain malicious code or be tainted by compromised credentials.
- Thoroughly review whether any release, container image, npm package, or deployment artifact was created or modified after the malicious package was installed, as these could represent further poisoned components in the software supply chain.
Broader Implications for Software Supply Chain Security
The Miasma campaign is a stark reminder of the escalating threat posed by software supply chain attacks. The increasing reliance on open-source components and shared development infrastructure means that a single point of compromise, such as a developer’s GitHub account or a popular npm package, can have cascading effects across numerous organizations. This incident underscores several critical implications for the cybersecurity landscape:
Firstly, it erodes trust in the fundamental components of modern software development. When foundational elements like npm packages or developer accounts from reputable vendors like Red Hat are compromised, it challenges the very fabric of secure coding practices. Developers and organizations must now operate with a heightened level of vigilance, assuming that any dependency or tool could potentially be a vector for attack.
Secondly, the shift towards targeting cloud identities (GCP, Azure) signifies an evolution in attacker motivation. Beyond simply stealing data, adversaries are increasingly focused on gaining control over cloud environments, which can offer persistent, high-privilege access to an organization’s most critical assets and infrastructure. This necessitates a re-evaluation of cloud security postures, focusing on identity and access management (IAM), continuous monitoring of cloud activity, and robust configuration management.
Finally, the sophistication of the Miasma campaign, from its obfuscated hooks and unique payload encryption to its use of Sigstore and GitHub API mutations for legitimate-looking malicious commits, indicates a significant advancement in attacker capabilities. Defending against such multi-stage, stealthy attacks requires a layered security approach that includes advanced threat detection, behavioral analysis, stringent code review processes, and proactive threat intelligence sharing across the industry. The collective efforts of security researchers in unraveling Miasma provide a blueprint for such collaboration, but the onus remains on every organization to fortify its own software supply chain defenses against an ever-adapting adversary.
