Miasma Malware Compromises 32 Red Hat npm Packages, Exposing Cloud Tokens and CI/CD Secrets
What Happened — Attackers took control of a Red Hat GitHub account and injected the Miasma malware into 32 npm packages maintained by Red Hat. The malicious code harvested cloud provider tokens, CI/CD pipeline secrets, and developer credentials, publishing them to an external server.
Why It Matters for TPRM —
- Supply‑chain compromise of widely‑used open‑source components can cascade to dozens of downstream vendors and their customers.
- Exposure of cloud and CI/CD credentials enables lateral movement, data exfiltration, and ransomware deployment across the victim ecosystem.
- The incident highlights the need for continuous monitoring of third‑party software provenance and secret‑management hygiene.
Who Is Affected — Technology SaaS firms, cloud service providers, enterprises that integrate Red Hat npm packages into their development pipelines, and any downstream customers relying on those packages.
Recommended Actions —
- Conduct an immediate inventory of all Red Hat npm packages in use and verify their integrity against trusted registries.
- Rotate all cloud access tokens, CI/CD secrets, and developer credentials that may have been exposed.
- Deploy Software Bill of Materials (SBOM) and automated dependency scanning to detect malicious code early.
- Enforce strict secret‑scanning policies in repositories and CI pipelines.
Technical Notes — The attack vector was a compromised GitHub account (credential theft) leading to a supply‑chain injection. No specific CVE was cited; the malicious payload harvested API keys, AWS/GCP tokens, and SSH keys. Source: HackRead