Miasma Malware Hits 32 Red Hat Packages via Compromised GitHub Account

On 1 June 2026 security researchers disclosed a major npm supply-chain compromise: attackers used a compromised Red Hat developer GitHub account and minimal GitHub Actions workflows requesting short‑lived OIDC tokens to publish 96 malicious package versions across ~32 packages in the @redhat-cloud-services namespace. The backdoored packages contained a worm/credential‑stealer named Miasma that exfiltrates cloud and SSH keys and self‑propagates by republishing packages the compromised identity can modify; most malicious versions were quickly revoked and vendors advised immediate credential rotation, checking lockfiles, and blocking install scripts.