{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/miasma/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["@redhat-cloud-services npm packages","GitHub Actions"],"_cs_severities":["high"],"_cs_tags":["supply-chain","credential-theft","miasma","npm"],"_cs_type":"advisory","_cs_vendors":["Red Hat"],"content_html":"\u003cp\u003eOn June 1, 2026, Red Hat disclosed a supply chain attack targeting more than 30 npm packages within their \u0026lsquo;@redhat-cloud-services\u0026rsquo; namespace. The attack involved injecting a new variant of the Shai-Hulud credential-stealing malware, dubbed \u0026ldquo;Miasma,\u0026rdquo; into compromised packages. This malware is designed to harvest sensitive information, including developer credentials, cloud secrets, SSH keys, CI/CD tokens, and other valuable data. Aikido and OX Security discovered the incident, noting that the affected packages receive approximately 117,000 weekly downloads. Red Hat has removed the malicious packages from the npm registry. The attacker allegedly compromised a Red Hat employee\u0026rsquo;s GitHub account to push malicious commits. Miasma has been found in 309 GitHub repositories.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker compromises a Red Hat employee\u0026rsquo;s GitHub account.\u003c/li\u003e\n\u003cli\u003eMalicious commits are pushed to multiple repositories via the compromised GitHub account.\u003c/li\u003e\n\u003cli\u003eA GitHub Actions workflow is added to the repositories.\u003c/li\u003e\n\u003cli\u003eA script is introduced to abuse npm\u0026rsquo;s publishing mechanism.\u003c/li\u003e\n\u003cli\u003eThe workflow installs Bun and executes \u003ccode\u003e_index.js\u003c/code\u003e, passing a list of target packages via the \u003ccode\u003eOIDC_PACKAGES\u003c/code\u003e environment variable.\u003c/li\u003e\n\u003cli\u003eThe script uses the \u003ccode\u003eid-token: write\u003c/code\u003e permission to request a short-lived OIDC token from GitHub.\u003c/li\u003e\n\u003cli\u003eThe OIDC token authenticates directly with npm\u0026rsquo;s trusted publishing endpoint.\u003c/li\u003e\n\u003cli\u003eBackdoored versions of the packages are published, containing a \u0026lsquo;preinstall\u0026rsquo; script executing a heavily obfuscated \u003ccode\u003eindex.js\u003c/code\u003e to steal secrets.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis supply chain attack could lead to the theft of sensitive developer credentials, cloud secrets (AWS, Google Cloud, Azure), SSH keys, CI/CD tokens, HashiCorp Vault tokens, Kubernetes service account tokens, npm and PyPI publishing tokens, Docker credentials, GPG keys, and \u003ccode\u003e.env\u003c/code\u003e files. Over 30 npm packages and 96 versions under the \u003ccode\u003e@redhat-cloud-services\u003c/code\u003e namespace were affected, with approximately 117,000 weekly downloads. This could result in widespread compromise of internal development tools and potentially impact customer and partner environments if credentials used in those environments were compromised.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eRotate all credentials, secrets, and tokens utilized by code on any infected device (as per the report\u0026rsquo;s recommendations).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule for detection of npm package preinstall script execution to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eMonitor GitHub Actions workflows for suspicious activity, specifically the use of \u003ccode\u003eid-token: write\u003c/code\u003e permission, as described in the Attack Chain.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) on all developer accounts, especially GitHub, to prevent account compromise (as indicated by the initial access vector).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-06-01T21:39:36Z","date_published":"2026-06-01T21:39:36Z","id":"https://feed.craftedsignal.io/briefs/2026-06-redhat-npm-miasma/","summary":"A supply chain attack compromised over 30 npm packages under Red Hat's '@redhat-cloud-services' namespace, distributing a credential-stealing malware variant named 'Miasma' that targets sensitive developer information.","title":"Red Hat npm Packages Compromised by Miasma Malware","url":"https://feed.craftedsignal.io/briefs/2026-06-redhat-npm-miasma/"}],"language":"en","title":"CraftedSignal Threat Feed — Miasma","version":"https://jsonfeed.org/version/1.1"}