Campaigns
MIASMA  RED HAT NPM SUPPLY CHAIN COMPROMISE CAMPAIGN

MIASMA RED HAT NPM SUPPLY CHAIN COMPROMISE CAMPAIGN

MiasmaRed Hat@redhat-cloud-servicesnpmsupply chain attackShai-HuludMini Shai-Huludcredential stealerGitHub Actions OIDCnpm lifecycle scriptpreinstall hookCI/CD compromisedeveloper credentialscloud secrets
Miasma is a Mini Shai-Hulud-derived npm supply-chain campaign that compromised official @redhat-cloud-services packages and executed a credential-stealing worm during package installation. Public reporting confirms 96 compromised versions across 32 packages, with developer credentials, cloud secrets, SSH keys, CI/CD tokens, and npm tokens treated as exposed if affected versions were installed.

Indicators of Compromise

No domains found for this campaign

Campaign Guidance

Remediation, mitigation, notes, history and related intelligence

REMEDIATION/DETECTION

Miasma npm Supply Chain Campaign — MITRE ATT&CK Detection Table


Technique

Tactic

Detection Strategy ID

Detection Strategy Name

Analytic ID

Analytic Description

T1195.001 – Compromise Software Dependencies and Development Tools

Initial Access (TA0001)

DET0511

Detect Malicious Package Installation via Supply Chain

AN-MIA-001

Monitor package-lock.json, pnpm-lock.yaml, yarn.lock, CI logs, and package caches for affected @redhat-cloud-services packages and versions. Alert on newly published versions from trusted scopes that introduce lifecycle scripts.

T1059.007 – Command and Scripting Interpreter: JavaScript

Execution (TA0002)

DET0332

Detect Suspicious npm Lifecycle Script Execution

AN-MIA-002

Alert when npm install, npm ci, yarn, or pnpm runs node index.js from a package that should contain only types, clients, or static frontend assets.

T1027 – Obfuscated Files or Information

Defense Evasion (TA0005)

DET0013

Detect Obfuscated Installer and Staged Payload Patterns

AN-MIA-003

Identify large numeric arrays, ROT-style transforms, eval patterns, AES-GCM blob decoding, and temporary payload writes under /tmp/p*.js or similar paths.

T1105 – Ingress Tool Transfer

Command and Control (TA0011)

DET0209

Detect Unauthorized Bun Runtime Staging

AN-MIA-004

Monitor downloads or execution of Bun from npm lifecycle contexts, especially /tmp/b-*/bun, /tmp/b-*/bun.exe, /tmp/b-*/b.zip, and /tmp/.bun_ran.

T1552.001 – Unsecured Credentials: Credentials In Files

Credential Access (TA0006)

DET0412

Detect Credential File Harvesting by Node or Bun Processes

AN-MIA-005

Alert on node, bun, or package-manager child processes reading .npmrc, SSH keys, GitHub tokens, cloud credentials, Kubernetes config, Vault tokens, or CI secret files.

T1083 – File and Directory Discovery

Discovery (TA0007)

DET0107

Detect Broad Developer Workstation and CI File Discovery

AN-MIA-006

Track recursive enumeration of home directories, repository folders, package caches, and CI workspaces immediately after package installation.

T1567.001 – Exfiltration to Code Repository

Exfiltration (TA0010)

DET0310

Detect GitHub Dead-Drop and Disguised Exfiltration Behavior

AN-MIA-007

Inspect outbound requests to GitHub search APIs and unusual API endpoints after npm install. Correlate with repository descriptions or paths containing Miasma: The Spreading Blight and results/results-*.json.

T1078 – Valid Accounts

Initial Access (TA0001)

DET0074

Detect Suspicious CI/CD Identity Use for npm Publishing

AN-MIA-008

Monitor GitHub Actions OIDC publishing events, unusual maintainers, unexpected workflow changes, and package publication activity outside normal release patterns.

Observed Countries250

AD (319)
AE (42)
AF (417)
AG (472)
AI (416)
AL (700)
AM (329)
AO (902)
AQ (3)
AR (608)
AS (497)
AT (292)
AU (317)
AW (686)
AX (445)
AZ (752)
BA (526)
BB (66)
BD (625)
BE (485)
BF (809)
BG (286)
BH (752)
BI (402)
BJ (113)
BL (805)
BM (338)
BN (411)
BO (584)
BQ (900)
BR (403)
BS (867)
BT (532)
BV (756)
BW (166)
BY (61)
BZ (16)
CA (155)
CC (857)
CD (681)
CF (389)
CG (580)
CH (97)
CI (411)
CK (32)
CL (267)
CM (297)
CN (679)
CO (580)
CR (694)
CU (857)
CV (309)
CW (457)
CX (58)
CY (456)
CZ (405)
DE (625)
DJ (652)
DK (521)
DM (843)
DO (599)
DZ (798)
EC (697)
EE (650)
EG (491)
EH (24)
ER (818)
ES (758)
ET (814)
FI (52)
FJ (29)
FK (411)
FM (654)
FO (109)
FR (775)
GA (914)
GB (341)
GD (203)
GE (367)
GF (142)
GG (944)
GH (159)
GI (836)
GL (125)
GM (773)
GN (601)
GP (334)
GQ (941)
GR (906)
GS (726)
GT (531)
GU (3)
GW (396)
GY (990)
HK (766)
HM (953)
HN (525)
HR (892)
HT (809)
HU (487)
ID (126)
IE (510)
IL (107)
IM (281)
IN (94)
IO (274)
IQ (223)
IR (838)
IS (824)
IT (686)
JE (283)
JM (431)
JO (189)
JP (238)
KE (501)
KG (196)
KH (113)
KI (310)
KM (358)
KN (869)
KP (66)
KR (555)
KW (425)
KY (598)
KZ (234)
LA (65)
LB (337)
LC (532)
LI (825)
LK (425)
LR (598)
LS (12)
LT (339)
LU (289)
LV (56)
LY (381)
MA (32)
MC (493)
MD (916)
ME (679)
MF (421)
MG (720)
MH (32)
MK (842)
ML (296)
MM (122)
MN (878)
MO (971)
MP (637)
MQ (504)
MR (401)
MS (209)
MT (677)
MU (528)
MV (131)
MW (726)
MX (299)
MY (992)
MZ (322)
NA (253)
NC (400)
NE (45)
NF (624)
NG (614)
NI (934)
NL (575)
NO (882)
NP (488)
NR (240)
NU (896)
NZ (559)
OM (658)
PA (651)
PE (17)
PF (952)
PG (695)
PH (519)
PK (126)
PL (729)
PM (508)
PN (214)
PR (670)
PS (855)
PT (509)
PW (196)
PY (548)
QA (398)
RE (675)
RO (785)
RS (779)
RU (483)
RW (479)
SA (69)
SB (552)
SC (555)
SD (939)
SE (135)
SG (520)
SH (428)
SI (933)
SJ (905)
SK (581)
SL (571)
SM (395)
SN (835)
SO (316)
SR (852)
SS (787)
ST (65)
SV (124)
SX (275)
SY (628)
SZ (60)
TC (14)
TD (470)
TF (58)
TG (615)
TH (123)
TJ (326)
TK (539)
TL (131)
TM (864)
TN (30)
TO (147)
TR (903)
TT (482)
TV (484)
TW (515)
TZ (108)
UA (926)
UG (713)
UM (683)
US (174)
UY (184)
UZ (971)
VA (712)
VC (926)
VE (565)
VG (194)
VI (796)
VN (43)
VU (836)
WF (32)
WS (972)
XK (362)
YE (709)
YT (881)
ZA (891)
ZM (663)
ZW (772)