Miasma Supply Chain Attack Compromises Red Hat npm Packages with Credential-Stealing Worm

A supply‑chain campaign named Miasma injected obfuscated preinstall hooks into multiple @redhat-cloud-services npm packages to harvest GitHub Actions secrets, npm tokens, cloud credentials, SSH/Git keys and other sensitive files, exfiltrating encrypted data to api.anthropic.com:443/v1/api with GitHub used as a fallback and committing artifacts labelled "Miasma:The Spreading Blight"; the malware also includes developer-tool and CI persistence mechanisms and worm-like propagation capabilities, with evidence pointing to a Red Hat GitHub account compromise as patient zero and activity observed since late May 2026.