A sophisticated software supply chain attack has compromised multiple Red Hat-associated npm packages, allowing attackers to steal sensitive credentials, infect developer environments, and potentially spread malware across software development ecosystems.
Security researchers have identified the campaign, dubbed Miasma, as a new variant inspired by previous Mini Shai-Hulud attacks. The operation targets developers and CI/CD environments by embedding malicious code within trusted open-source packages.
Multiple Red Hat npm Packages Found Compromised
Researchers discovered that several packages published under the @redhat-cloud-services namespace had been modified to include malicious code designed to execute automatically during installation.
Among the affected packages were libraries commonly used in cloud management, remediation, inventory management, and access control workflows.
The malware activates through a concealed installation script that launches as soon as the package is installed, allowing it to operate before developers are aware of any compromise.
Malware Targets Credentials and Development Secrets
According to security analyses, the malicious payload is engineered to harvest a wide range of sensitive information from infected systems.
The malware seeks access to:
- GitHub Actions secrets
- npm authentication tokens
- Cloud provider credentials
- Kubernetes configuration data
- SSH keys
- Git credentials
- Secrets management platform tokens
- Development environment configuration files
Researchers warn that the collected information could enable attackers to gain unauthorized access to software repositories, cloud infrastructure, and deployment pipelines.
Self-Propagating Capabilities Raise Concerns
One of the most alarming aspects of the Miasma campaign is its worm-like behavior.
After stealing credentials, the malware attempts to use those permissions to compromise additional repositories and software projects. It can inject malicious workflows into source code repositories and potentially distribute infected packages further downstream.
Security experts say this propagation strategy mirrors techniques previously observed in the Mini Shai-Hulud malware family, where trusted software supply chains become vehicles for wider compromise.
Advanced Evasion and Persistence Techniques
The malware includes several features designed to avoid detection and maintain long-term access.
Investigators found that the code can:
- Detect common endpoint security tools
- Avoid execution on Russian-language systems
- Establish persistence within developer tools
- Modify project configurations to relaunch automatically
- Generate uniquely encrypted payloads for each victim
The use of customized encryption for every infection makes traditional signature-based detection significantly more difficult.
Researchers also observed attempts to embed malicious tasks into development environments, ensuring the malware remains active even after the original package is removed.
Cloud Identity Theft Emerging as Key Objective
Security analysts noted a major evolution in the latest Miasma variant: an increased focus on cloud identity collection.
Rather than simply stealing secrets and API keys, the malware actively gathers information about cloud accounts and identities accessible from infected systems. This approach suggests attackers may be seeking broader access to enterprise cloud environments.
Experts believe the campaign demonstrates a shift toward exploiting identity-based access as organizations continue migrating critical workloads to cloud platforms.
Suspected Initial Breach Linked to Developer Account
Investigators believe the attack may have originated from the compromise of a developer account connected to Red Hat repositories.
Evidence suggests unauthorized access allowed attackers to introduce malicious code into package release workflows while bypassing standard review processes.
Additional threat intelligence indicates credentials and session data associated with a Red Hat account may have appeared in infostealer logs weeks before the malicious packages were published.
While the exact identity of the threat actors remains unknown, researchers note that publicly available attack frameworks previously released by cybercriminal groups have made attribution increasingly difficult.
Organizations Urged to Act Immediately
Security teams are being advised to identify systems that installed affected package versions and take immediate containment measures.
Recommended response actions include:
- Isolating impacted endpoints
- Removing compromised package versions
- Rotating all potentially exposed credentials
- Reviewing repository activity for unauthorized changes
- Auditing cloud accounts for suspicious access
- Inspecting CI/CD pipelines for malicious workflows
- Checking developer environments for persistence mechanisms
Experts caution that simply uninstalling the affected packages may not fully remove the threat due to the malware’s persistence capabilities.
Latest in Growing Wave of Supply Chain Threats
The Miasma incident is the latest in a series of attacks targeting open-source ecosystems and software development infrastructure.
Recent campaigns have increasingly focused on compromising trusted development tools, package repositories, code extensions, and CI/CD workflows. Security agencies and industry experts warn that these attacks represent a growing risk to organizations that rely heavily on open-source software and automated development pipelines.
As software supply chains become more interconnected, researchers expect attackers to continue exploiting trusted platforms to gain access to larger numbers of organizations through a single compromise.
