Miasma Supply Chain Campaign Backdoors 32 Red Hat @redhat-cloud-services npm Packages via Compromised CI/CD Pipeline

On June 1, a threat actor compromised a Red Hat employee's GitHub account and abused npm's GitHub Actions OIDC trusted publishing to inject the Miasma credential-stealing worm — a new variant of the open-sourced Mini Shai-Hulud malware — into 96 versions across 32 official @redhat-cloud-services packages averaging ~80,000 weekly downloads. The malware executes at install-time via a preinstall hook, sweeps for AWS, GCP, and Azure credentials, CI/CD secrets, SSH keys, npm and GitHub tokens, and self-propagates by republishing backdoored versions to other packages the compromised identity can publish. A critical new capability in this variant enumerates all cloud identities the infected host can assume — not just static secrets — and includes a destructive token monitor that wipes the user's home directory if a stolen GitHub token is revoked before persistence is removed; incident responders must isolate and scrub persistence before rotating any credentials.

This intelligence brief has been compiled from open-source reporting and corroborated across multiple threat intelligence sources. Defenders should treat the critical severity rating as a guide to prioritization within their environment.

For the latest indicators of compromise, formatted SIEM queries, and unredacted actor intelligence related to this brief, DMZ Operator subscribers receive automated IOC packages via email the moment new advisories are published.