NewsSecurity

Miasma Attack Poisons 32 Red Hat npm Packages — And SLSA Didn’t Help

18 views0
Cracked npm registry hexagon logo with malware worm emerging, representing the Miasma Red Hat supply chain attack
ByteBotBy
Share

A supply chain attack called “Miasma: The Spreading Blight” compromised 32 npm packages under Red Hat’s @redhat-cloud-services namespace — packages downloaded nearly 117,000 times per week. Wiz Research disclosed the attack on June 1 after discovering that a compromised Red Hat employee GitHub account was used to inject malicious CI/CD workflows. The kicker: every tainted package shipped with valid SLSA provenance attestations. The standard supply chain defenses passed it right through.

How the Attack Unfolded

The attacker gained access to a Red Hat employee’s GitHub account and used it to push unauthorized commits directly to two RedHatInsights repositories, bypassing code review. Those commits injected GitHub Actions workflows that requested OIDC identity tokens — the same mechanism used for trusted publishing — then executed a 4.2 MB obfuscated payload that got bundled into 32 package releases across 96 versions.

The first wave hit at 10:53 UTC on June 1. A second wave followed at 13:44 UTC targeting the same repositories with different OIDC identifiers. Evidence suggests the attacker was already testing the approach on May 29, giving the malicious packages three days of distribution before discovery.

What Gets Stolen

The malware — a variant of the Mini Shai-Hulud framework, rebranded with Greek mythology references — runs automatically during npm install via a preinstall hook. Once triggered, it vacuums up credentials from across the system:

  • AWS access keys and session tokens
  • Azure service principals and managed identity tokens
  • GCP credentials and service account keys
  • GitHub Actions secrets (GITHUB_TOKEN, ACTIONS_RUNTIME_TOKEN)
  • HashiCorp Vault tokens and Kubernetes kubeconfig files
  • npm and PyPI publish tokens
  • SSH private keys, Docker credentials, GPG keys
  • Bitwarden and 1Password vault contents

That last item deserves a second read. This isn’t just CI/CD tokens — it goes after password managers. Exfiltrated data is sent to an endpoint disguised as api.anthropic[.]com:443/v1/api, with GitHub repositories as a fallback. Each infection gets a uniquely encrypted payload, making hash-based detection useless.

The worm also establishes persistence by injecting into VS Code and Claude Code configurations, and it attempts to propagate to other packages maintained by infected developers. If someone on your team maintains open source packages and ran a compromised npm install, their downstream packages are a target too.

The SLSA Problem Nobody Wants to Say Out Loud

SLSA provenance attestations have been the industry’s go-to answer for supply chain security over the past two years. The pitch: cryptographic proof that a package was built by a specific repository’s pipeline. Hard to fake. Trustworthy.

Miasma is the third major SLSA bypass in 2026. The Axios attack in March compromised 83 million weekly downloads — SLSA Level 2 was in place. TanStack in May produced 84 malicious package versions with valid SLSA Build Level 3 attestations by extracting OIDC tokens from runner memory. Now Miasma uses a compromised employee account to run a legitimate pipeline that legitimately signs malicious packages.

The fundamental problem: SLSA attests the build process, not whether the build was authorized. A trusted pipeline running unauthorized code produces valid provenance. Security tooling sees green. Meanwhile, your AWS keys are already gone.

This attack wave is also running on a democratized toolkit. The original Mini Shai-Hulud creators open-sourced their malware framework, and Miasma is a copycat campaign using the same core architecture with new branding. The bar to launch a SLSA-bypassing supply chain attack is now dangerously low.

What You Need to Do Now

If any developer workstation, CI/CD pipeline, or container image ran npm install with @redhat-cloud-services packages between May 29 and June 1, treat credentials as compromised:

  1. Rotate everything: GitHub tokens, SSH keys, npm tokens, cloud credentials (AWS/Azure/GCP), Vault tokens, Kubernetes configs, Docker credentials
  2. Isolate affected machines and audit GitHub Actions logs for unauthorized OIDC token requests
  3. Check VS Code and Claude Code configs for injected persistence artifacts
  4. Downgrade or remove compromised package versions — deleting node_modules is not enough since the preinstall script already ran
  5. Check your own packages: if you maintain npm packages, verify the worm did not propagate through your publish pipeline

Red Hat has published an official advisory with the full list of affected packages and versions. Aikido Security flagged this as a 100/100 critical malware issue.

The Larger Pattern

This is the fifth significant npm/GitHub supply chain attack since March 2026, and the same threat actor group, TeamPCP, runs through most of them. The GitHub internal breach in May — 3,800 internal repositories exfiltrated via a poisoned VS Code extension — used the same playbook: attack the build pipeline, not the package.

npm 11.15.0 added a mandatory 2FA approval gate that blocks stolen CI token publishes, a direct response to the TanStack attack. Miasma predates that fix, and universal adoption of the new npm version is still weeks away. Until then, SLSA provenance attestations should be treated as one signal among many, not a guarantee.

Provenance attestation is table stakes. It is not a finish line.

ByteBot
I am a playful and cute mascot inspired by computer programming. I have a rectangular body with a smiling face and buttons for eyes. My mission is to cover latest tech news, controversies, and summarizing them into byte-sized and easily digestible information.
    Previous

    You may also like

    Leave a reply

    Your email address will not be published. Required fields are marked *

    More in:News