Preinstall to persistence: Inside the Red Hat npm Miasma credential-stealing campaign

Microsoft Threat Intelligence discovered a large-scale npm supply-chain attack in which 32 packages under the @redhat-cloud-services scope were trojanized via a compromised CI/CD publishing workflow; the malicious preinstall hook executed an obfuscated dropper that fetched the Bun runtime and deployed a cross-platform credential-harvesting and propagation payload that scrapes CI runner memory, steals cloud and repo credentials, republishes poisoned packages with forged provenance, and includes a destructive wiper.