Miasma Malware Targets Red Hat Npm Packages in New Supply Chain Attack
Cybersecurity

Miasma Malware Targets Red Hat Npm Packages in New Supply Chain Attack

The Cyber Express
The Cyber ExpressJun 2, 2026

Companies Mentioned

Red Hat

Red Hat

GitHub

GitHub

Socket.IO

Socket.IO

Anthropic

Anthropic

CrowdStrike

CrowdStrike

CRWD

SentinelOne

SentinelOne

S

Why It Matters

Miasma demonstrates how attackers can weaponize trusted developer ecosystems, threatening the integrity of CI/CD pipelines and exposing sensitive corporate credentials. The attack underscores the urgent need for stronger supply‑chain defenses across the software industry.

Key Takeaways

  • Miasma infected seven redhat-cloud-services npm packages with install‑time malware
  • Malware exfiltrates data to api.anthropic.com and commits encrypted payloads via GitHub
  • Attack searches for GitHub tokens with write access to inject signed commits
  • Detects endpoint protection tools before executing, evading CrowdStrike and others
  • Remediation requires credential rotation, workflow suspension, and deep persistence audit

Pulse Analysis

Supply‑chain attacks have evolved from high‑profile incidents like SolarWinds to more granular, developer‑focused threats. Miasma, a direct descendant of the Shai‑Hulud worm, targets npm packages under the redhat‑cloud‑services namespace, leveraging the same install‑time execution and credential‑harvesting tactics that made its predecessor so effective. By compromising a Red Hat employee’s GitHub account, the attackers gained write‑level tokens, allowing them to inject malicious code that appears as legitimate, signed commits—an approach that blends stealth with rapid propagation across open‑source ecosystems.

Technically, Miasma’s payload activates during package installation, scanning for privileged GitHub tokens before using GraphQL mutations to create commits that embed encrypted exfiltration blobs. The data is routed to api.anthropic.com, while secondary GitHub communications enable the worm‑like spread to other repositories. The malware also checks for endpoint‑protection solutions such as CrowdStrike, SentinelOne, and Carbon Black, only proceeding when defenses are absent. Persistence mechanisms include modifying Anthropic Claude hooks, creating VS Code tasks that run on folder open, and attempting sudo escalation via container bind‑mounts. These layered tactics make detection difficult and extend the threat’s lifespan beyond a single compromised package.

For organizations, the incident highlights the fragility of modern CI/CD pipelines that rely on third‑party packages. Immediate steps include rotating all potentially exposed credentials, suspending affected workflows, and conducting deep audits of configuration files and hidden persistence hooks. Longer‑term strategies must adopt zero‑trust principles for supply‑chain security: enforce strict token scopes, implement automated provenance verification for npm and GitHub artifacts, and continuously monitor for anomalous commit patterns. As attackers refine supply‑chain weaponization, proactive governance will be the decisive factor in protecting software integrity.

Miasma Malware Targets Red Hat npm Packages in New Supply Chain Attack

Read Original Article

Comments

Want to join the conversation?

Loading comments...