Preinstall to Persistence: Red Hat npm “Miasma” Campaign Steals Developer Credentials Across Supply Chain
What Happened — A threat actor published malicious npm packages that leverage preinstall scripts to gain persistence on systems running Red Hat‑based Node.js environments. The packages harvest SSH keys, npm tokens, and cloud‑provider credentials, then exfiltrate them to command‑and‑control servers.
Why It Matters for TPRM —
- Supply‑chain compromise can bypass traditional perimeter defenses, exposing downstream vendors and customers.
- Stolen credentials enable lateral movement into critical workloads hosted on Red Hat OpenShift, Kubernetes, or cloud IaaS.
- The campaign demonstrates a “pre‑install‑to‑persistence” pattern that can affect any organization that relies on third‑party npm modules.
Who Is Affected — Enterprises using Red Hat Enterprise Linux, OpenShift, or any Red Hat‑based container platform; SaaS providers that ship Node.js runtimes; development teams that consume public npm packages.
Recommended Actions —
- Audit all npm dependencies for known malicious packages and enforce signed package policies.
- Implement runtime integrity checks for
preinstallscripts and restrict their execution. - Rotate any exposed SSH keys, npm tokens, and cloud credentials; enable MFA where possible.
- Require vendors to provide supply‑chain security attestations and continuous SBOM monitoring.
Technical Notes — The attackers embed malicious code in the preinstall lifecycle hook of npm packages, a legitimate feature that runs before a package is installed. No public CVE is associated; the vector is a third‑party dependency abuse. Stolen data includes SSH private keys, npm authentication tokens, AWS/GCP service account keys, and internal Git credentials. Source: Microsoft Security Blog