Miasma Supply Chain Attack Compromises Red Hat npm Packages with Credential-Stealing Worm

Researchers discovered a supply chain attack targeting Red Hat npm packages that deploys credential-stealing malware with worm-like propagation capabilities. The campaign, tracked as Miasma, compromised @redhat-cloud-services packages to execute malicious code during installation.

The attack operates through multiple vectors. Code runs at install time, giving attackers access to developer environments before legitimate package functionality loads. The malware harvests credentials and secrets stored on compromised machines, then targets CI/CD systems where developers typically maintain elevated access tokens. Stolen data travels through encrypted channels to attacker-controlled infrastructure, making detection harder.

The worm component enables lateral movement. Once installed on a developer machine, the malware attempts to propagate to other systems and repositories the developer accesses. This self-propagating behavior amplifies the attack's reach beyond initial compromises.

Red Hat npm packages carry particular risk because they serve infrastructure and cloud service tooling. Developers using these packages often maintain production credentials locally or in build environments. Compromise of their machines cascades into access to company infrastructure, cloud platforms, and deployment pipelines.

The Miasma campaign shares tactics with Mini Shai-Hulud attacks, a classification describing campaigns that abuse legitimate package managers for malware distribution. Both rely on the trust developers place in official-looking packages and the frictionless execution model of npm install commands.

Organizations using @redhat-cloud-services packages should audit installation timestamps against known attack windows and inspect local credential stores for unauthorized access. Developers need to rotate any credentials present on affected machines, revoke CI/CD tokens, and review deployment logs for suspicious activity.

Supply chain attacks targeting npm remain effective because npm's execution model treats package installation as a trusted operation. Without cryptographic verification of package contents or mandatory code review, malicious packages reach targets instantly upon installation. The worm component here represents escalating attacker sophist