Miasma Supply Chain Attack Compromises Red Hat npm Packages, Deploys Credential‑Stealing Worm
What Happened — A newly identified supply‑chain campaign dubbed Miasma injected malicious code into Red Hat Cloud Services npm packages. The compromised packages install a credential‑stealing worm on developer machines, harvest secrets, and propagate through CI/CD pipelines.
Why It Matters for TPRM —
- Third‑party code you rely on can become a conduit for credential theft across your entire development ecosystem.
- Compromise of a widely used cloud‑native package expands the attack surface beyond a single vendor to any downstream customer.
- Early detection is difficult; the worm operates silently during install time, making traditional endpoint alerts insufficient.
Who Is Affected — Technology & SaaS firms, cloud‑hosting providers, DevOps teams, and any organization that consumes Red Hat npm packages (spanning finance, healthcare, retail, etc.).
Recommended Actions —
- Immediately audit all projects that depend on Red Hat Cloud Services npm modules.
- Freeze or rollback to known‑good versions until the vendor releases a clean package.
- Enforce strict CI/CD hygiene: signed packages, provenance verification, and isolated build environments.
- Rotate any credentials that may have been exposed and monitor for anomalous activity.
Technical Notes — The worm is delivered via a malicious post‑install script in the npm package, executes on install, harvests SSH keys, API tokens, and cloud credentials, then encrypts and exfiltrates them to a C2 server. It also attempts lateral movement by injecting itself into other npm packages in the same repository. No public CVE is associated; the attack leverages supply‑chain dependency trust. Source: The Hacker News