Miasma supply chain attack: malicious code found in @redhat-cloud-services npm packages

On June 1, 2026, researchers discovered malicious code embedded in at least 32 npm package releases under the @redhat-cloud-services namespace, used by the Red Hat Hybrid Cloud Console, which contained a preinstall script that executed an obfuscated payload to steal developer and cloud credentials, subsequently attempting to propagate to other packages that the victim could publish. The campaign, identified as Miasma, involved a worm-like credential stealer that is a variant of the (Mini) Shai-Hulud worm, exploiting a compromised Red Hat employee's GitHub account to push unauthorized commits and publish packages with valid but misleading SLSA provenance. Despite npm revoking most malicious versions quickly, the attack had widespread implications due to the high download volume of the affected packages, averaging 80,000 weekly downloads. The incident underscores the importance of rigorous security measures, including pinning dependencies away from affected versions, disabling install scripts, and rotating exposed credentials, while highlighting the insufficiency of relying solely on provenance verification without behavioral checks in maintaining secure software pipelines.