
MIASMA RED HAT NPM SUPPLY CHAIN COMPROMISE CAMPAIGN
Indicators of Compromise
No domains found for this campaign
Campaign Guidance
Remediation, mitigation, notes, history and related intelligence
REMEDIATION/DETECTION
Miasma npm Supply Chain Campaign — MITRE ATT&CK Detection Table
Technique | Tactic | Detection Strategy ID | Detection Strategy Name | Analytic ID | Analytic Description |
|---|---|---|---|---|---|
T1195.001 – Compromise Software Dependencies and Development Tools | Initial Access (TA0001) | AN-MIA-001 | Monitor package-lock.json, pnpm-lock.yaml, yarn.lock, CI logs, and package caches for affected @redhat-cloud-services packages and versions. Alert on newly published versions from trusted scopes that introduce lifecycle scripts. | ||
Execution (TA0002) | AN-MIA-002 | Alert when npm install, npm ci, yarn, or pnpm runs node index.js from a package that should contain only types, clients, or static frontend assets. | |||
Defense Evasion (TA0005) | AN-MIA-003 | Identify large numeric arrays, ROT-style transforms, eval patterns, AES-GCM blob decoding, and temporary payload writes under /tmp/p*.js or similar paths. | |||
Command and Control (TA0011) | AN-MIA-004 | Monitor downloads or execution of Bun from npm lifecycle contexts, especially /tmp/b-*/bun, /tmp/b-*/bun.exe, /tmp/b-*/b.zip, and /tmp/.bun_ran. | |||
Credential Access (TA0006) | AN-MIA-005 | Alert on node, bun, or package-manager child processes reading .npmrc, SSH keys, GitHub tokens, cloud credentials, Kubernetes config, Vault tokens, or CI secret files. | |||
Discovery (TA0007) | AN-MIA-006 | Track recursive enumeration of home directories, repository folders, package caches, and CI workspaces immediately after package installation. | |||
Exfiltration (TA0010) | AN-MIA-007 | Inspect outbound requests to GitHub search APIs and unusual API endpoints after npm install. Correlate with repository descriptions or paths containing Miasma: The Spreading Blight and results/results-*.json. | |||
Initial Access (TA0001) | AN-MIA-008 | Monitor GitHub Actions OIDC publishing events, unusual maintainers, unexpected workflow changes, and package publication activity outside normal release patterns. |