Miasma: Supply Chain Attack Targeting RedHat npm Packages
ID: 8bf46021-6f1b-514e-ad49-2194f8472525
STIX ID: report--8bf46021-6f1b-514e-ad49-2194f8472525
Feed Name: Wiz Blog
On 1 June 2026 Wiz Research reported a supply‑chain compromise affecting packages under the @redhat-cloud-services npm namespace: at least 32 malicious package releases (≈80k weekly downloads) included obfuscated, installation‑time payloads ("Miasma") derived from Mini Shai‑Hulud that collect cloud identities (GCP/Azure) and secrets. The root cause appears to be a compromised Red Hat employee GitHub account that pushed orphan commits and malicious GitHub Actions requesting OIDC tokens to publish packages with valid SLSA attestations. Organizations are advised to investigate developer workstations, CI/CD systems, rotate exposed credentials, audit affected packages/workflows, and apply supply‑chain protections such as allowlisting, SBOMs, and package verification.
Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.
