Miasma Worm Backdoors 32 Red Hat @redhat-cloud-services npm Packages via Compromised Employee GitHub Account, Exfiltrates AWS/GCP/Azure Credentials

On June 1, a supply-chain attack dubbed 'Miasma: The Spreading Blight' compromised 32 package releases under the @redhat-cloud-services npm namespace — averaging ~80,000 weekly downloads — after a Red Hat employee's GitHub account was hijacked. The attacker injected malicious GitHub Actions OIDC workflows to publish backdoored packages with valid SLSA provenance attestations, embedding a preinstall script that auto-executes a credential-stealing worm harvesting AWS, GCP, Azure, SSH keys, GitHub tokens, CI/CD secrets, and crypto wallets. A new addition over prior Shai-Hulud variants: dedicated collectors that enumerate all cloud identities the infected host can assume — shifting from static secret theft to cloud control-plane takeover. Any environment that installed affected versions on or after June 1 should rotate all CI secrets, cloud credentials, and npm tokens immediately; remove persistence before revoking tokens to avoid a destructive wipe triggered by the malware's gh-token-monitor.

A new addition over prior Shai-Hulud variants: dedicated collectors that enumerate all cloud identities the infected host can assume — shifting from static secret theft to cloud control-plane takeover.

This intelligence brief has been compiled from open-source reporting and corroborated across multiple threat intelligence sources. Defenders should treat the critical severity rating as a guide to prioritization within their environment.

For the latest indicators of compromise, formatted SIEM queries, and unredacted actor intelligence related to this brief, DMZ Operator subscribers receive automated IOC packages via email the moment new advisories are published.