blindthoughts
breaking · By

Red Hat npm Packages Backdoored in Miasma Supply Chain Attack — Worm Steals Credentials

A supply chain attack campaign dubbed Miasma has compromised dozens of packages published under Red Hat's official @redhat-cloud-services npm organization, injecting a credential-stealing, self-propagating worm into the software supply chain. The attack was reported by Ars Technica and analyzed in depth by The Hacker News. If your pipelines or developer machines have touched these packages, you are in incident-response mode now.

What Happened

Attackers compromised the @redhat-cloud-services npm organization and published backdoored versions of legitimate packages. The Miasma campaign is described as a "Mini Shai-Hulud" operation, using the same methodology as prior high-profile supply chain attacks. The malicious payload does three things:

The trigger is mundane: any developer or CI/CD runner that executed npm install and pulled a backdoored version is compromised.

Why This Matters

The @redhat-cloud-services namespace is used in enterprise environments for OpenShift tooling, cloud infrastructure management, and DevOps automation. The worm component is what makes this especially dangerous. A typical malicious package sits and waits. This one moves — from a developer laptop to CI runners, staging environments, shared credential stores, and anywhere else that machine can authenticate. A single infected workstation can cascade across an entire organization's infrastructure.

Your exposure window is not just "when did I install the package." It is every system that machine touched afterward. Stolen cloud credentials mean attackers may already be inside your AWS, GCP, or Azure accounts.

What to Do Now

Act on this in the next hour, not the next day.

  1. Audit your dependencies — search all package.json and package-lock.json files across every project and CI configuration for any @redhat-cloud-services/* package. The confirmed package list is being updated in the Ars Technica report.
  1. Rotate all secrets immediately on any machine that may have installed an affected package — cloud credentials, GitHub/GitLab tokens, SSH keys, .env values, everything. Treat the machine as fully owned.
  1. Audit CI/CD pipelines — build runners that install npm packages are a high-risk vector. Review recent build logs for unexpected outbound network connections.
  1. Check cloud access logs — look for API calls from unusual IPs or at unusual times in AWS CloudTrail, GCP Audit Logs, or Azure Monitor.
  1. Re-image confirmed machines — do not attempt to clean in place. Worms leave secondary backdoors. Wipe and rebuild from a known-good image.
  1. Scan lateral movement — review authentication logs on internal systems reachable from affected machines for unauthorized access.

If your organization runs OpenShift or uses any Red Hat cloud tooling in automated pipelines, assume breach until you have confirmed otherwise.

Share:𝕏inr/HN🦋@
Was this useful?