logo

Miasma: Supply Chain Attack Targeting RedHat npm Packages

ID: 8bf46021-6f1b-514e-ad49-2194f8472525

STIX ID: report--8bf46021-6f1b-514e-ad49-2194f8472525

Feed Name: Wiz Blog

Threat Score
85/100

Date Published: 2026-06-01

Date Updated: 2026-06-03

Author: Merav Bar

...
...

On 1 June 2026 Wiz Research reported a supply‑chain compromise affecting packages under the @redhat-cloud-services npm namespace: at least 32 malicious package releases (≈80k weekly downloads) included obfuscated, installation‑time payloads ("Miasma") derived from Mini Shai‑Hulud that collect cloud identities (GCP/Azure) and secrets. The root cause appears to be a compromised Red Hat employee GitHub account that pushed orphan commits and malicious GitHub Actions requesting OIDC tokens to publish packages with valid SLSA attestations. Organizations are advised to investigate developer workstations, CI/CD systems, rotate exposed credentials, audit affected packages/workflows, and apply supply‑chain protections such as allowlisting, SBOMs, and package verification.

Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.