HomeIntelligenceBrief
BREACH BRIEF🟠 High ThreatIntel

Miasma Supply Chain Attack Compromises Red Hat npm Packages, Deploys Credential‑Stealing Worm

A supply‑chain campaign named Miasma has poisoned Red Hat Cloud Services npm packages, installing a credential‑stealing worm on developer machines and spreading through CI/CD pipelines. The threat expands third‑party risk for any organization that consumes these packages, demanding immediate remediation and credential rotation.

LiveThreat™ Intelligence · 📅 June 02, 2026· 📰 thehackernews.com
🟠
Severity
High
TI
Type
ThreatIntel
🎯
Confidence
High
🏢
Affected
4 sector(s)
Actions
5 recommended
📰
Source
thehackernews.com

Miasma Supply Chain Attack Compromises Red Hat npm Packages, Deploys Credential‑Stealing Worm

What Happened — A newly identified supply‑chain campaign dubbed Miasma injected malicious code into Red Hat Cloud Services npm packages. The compromised packages install a credential‑stealing worm on developer machines, harvest secrets, and propagate through CI/CD pipelines.

Why It Matters for TPRM

  • Third‑party code you rely on can become a conduit for credential theft across your entire development ecosystem.
  • Compromise of a widely used cloud‑native package expands the attack surface beyond a single vendor to any downstream customer.
  • Early detection is difficult; the worm operates silently during install time, making traditional endpoint alerts insufficient.

Who Is Affected — Technology & SaaS firms, cloud‑hosting providers, DevOps teams, and any organization that consumes Red Hat npm packages (spanning finance, healthcare, retail, etc.).

Recommended Actions

  • Immediately audit all projects that depend on Red Hat Cloud Services npm modules.
  • Freeze or rollback to known‑good versions until the vendor releases a clean package.
  • Enforce strict CI/CD hygiene: signed packages, provenance verification, and isolated build environments.
  • Rotate any credentials that may have been exposed and monitor for anomalous activity.

Technical Notes — The worm is delivered via a malicious post‑install script in the npm package, executes on install, harvests SSH keys, API tokens, and cloud credentials, then encrypts and exfiltrates them to a C2 server. It also attempts lateral movement by injecting itself into other npm packages in the same repository. No public CVE is associated; the attack leverages supply‑chain dependency trust. Source: The Hacker News

📰 Original Source
https://thehackernews.com/2026/06/miasma-supply-chain-attack-compromises.html

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · Vendor Risk Hub

This is the scenario continuous vendor monitoring is built to catch.

When a vendor is compromised, your SOC 2 vendor-management controls are what produce the audit trail showing you knew, assessed, and acted. The Verisq AI Trust Operations platform tracks that continuously.

Explore the Verisq AI Trust Operations platform →