logo

What the Miasma campaign reveals about the new supply chain threat model and the underground market for developer credentials

ID: 2086a75d-a17e-547b-b5b1-be0d4c7fcf1a

STIX ID: report--2086a75d-a17e-547b-b5b1-be0d4c7fcf1a

Feed Name: Tenable Blog

Threat Score
92/100

Date Published: 2026-06-23

Date Updated: 2026-06-23

Author: Research Special Operations

...
...

Tenable’s report outlines the Miasma supply-chain campaign: a self-propagating npm worm (derived from the open-sourced Mini Shai-Hulud) that used a stolen Red Hat GitHub credential—which sat in infostealer logs for seven weeks—to poison dozens of official npm packages across three waves, produce valid SLSA provenance-signed malicious builds, harvest additional developer and cloud credentials, and introduce a novel persistence vector targeting AI coding assistants; the report frames this as evidence of an emergent Developer Credential Economy and recommends CTEM-style controls, continuous dark-web credential monitoring and human-gated publishing to disrupt the attack chain.

Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.