What the Miasma campaign reveals about the new supply chain threat model and the underground market for developer credentials
ID: 2086a75d-a17e-547b-b5b1-be0d4c7fcf1a
STIX ID: report--2086a75d-a17e-547b-b5b1-be0d4c7fcf1a
Feed Name: Tenable Blog
Tenable’s report outlines the Miasma supply-chain campaign: a self-propagating npm worm (derived from the open-sourced Mini Shai-Hulud) that used a stolen Red Hat GitHub credential—which sat in infostealer logs for seven weeks—to poison dozens of official npm packages across three waves, produce valid SLSA provenance-signed malicious builds, harvest additional developer and cloud credentials, and introduce a novel persistence vector targeting AI coding assistants; the report frames this as evidence of an emergent Developer Credential Economy and recommends CTEM-style controls, continuous dark-web credential monitoring and human-gated publishing to disrupt the attack chain.
Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.
