Executive Summary
In June 2026, a sophisticated supply chain attack, dubbed 'Miasma,' compromised over 30 npm packages under the @redhat-cloud-services scope. The attackers infiltrated Red Hat's GitHub Actions OIDC pipeline, injecting a credential-stealing worm into these packages. Upon installation, the malware executed a preinstall script that harvested sensitive information, including GitHub Actions secrets, npm tokens, cloud credentials, Kubernetes tokens, SSH keys, and Git credentials. The stolen data was exfiltrated to attacker-controlled servers, facilitating further propagation of the malware.
This incident underscores the escalating threat of supply chain attacks targeting trusted software repositories. The open-sourcing of the Mini Shai-Hulud malware by the cybercriminal group TeamPCP has lowered the barrier for such attacks, enabling a broader range of threat actors to execute similar campaigns. Organizations must enhance their security measures to protect against these evolving threats.
Why This Matters Now
The Miasma attack highlights the urgent need for organizations to secure their CI/CD pipelines and software supply chains. With the increasing prevalence of such attacks, it is crucial to implement robust security practices to prevent unauthorized access and data exfiltration.
Attack Path Analysis
The Miasma supply chain attack began with the compromise of Red Hat's npm packages, leading to the execution of malicious preinstall scripts on developer machines. These scripts harvested sensitive credentials and secrets, enabling the malware to escalate privileges and propagate further. The worm then moved laterally by exploiting the stolen credentials to access additional systems and repositories. It established command and control by exfiltrating the collected data to attacker-controlled servers. The exfiltrated data included critical information such as GitHub tokens and cloud credentials. The impact of the attack was significant, compromising numerous developer environments and potentially leading to further supply chain compromises.
Kill Chain Progression
Initial Compromise
Description
The attacker compromised Red Hat's npm packages, embedding malicious preinstall scripts that executed upon package installation on developer machines.
MITRE ATT&CK® Techniques
Compromise Software Supply Chain
Credentials in Files
Web Protocols
Ingress Tool Transfer
DLL Side-Loading
PowerShell
Obfuscated Files or Information
Taint Shared Content
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Ensure all system components and software are protected from known vulnerabilities
Control ID: 6.2
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA ZTMM 2.0 – Supply Chain Risk Management
Control ID: 3.1
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Computer Software/Engineering
Supply chain attacks targeting Red Hat npm packages directly compromise software development workflows, credential harvesting threatens CI/CD pipelines and developer environments.
Information Technology/IT
Mini Shai-Hulud worm propagation through compromised packages creates widespread infrastructure risks, requiring enhanced egress filtering and zero trust segmentation controls.
Financial Services
Credential-stealing capabilities targeting developer machines pose significant compliance risks under PCI DSS requirements, threatening secure application development and deployment processes.
Health Care / Life Sciences
Supply chain compromise of development tools threatens HIPAA compliance through potential credential harvesting and lateral movement within healthcare application development environments.
Sources
- Miasma Supply Chain Attack Compromises Red Hat npm Packages with Credential-Stealing Wormhttps://thehackernews.com/2026/06/miasma-supply-chain-attack-compromises.htmlVerified
- Dozens of Red Hat packages backdoored through its official NPM channelhttps://arstechnica.com/security/2026/06/dozens-of-red-hat-packages-backdoored-through-its-offical-npm-channel/Verified
- Red Hat npm packages compromised to steal developer credentialshttps://www.bleepingcomputer.com/news/security/red-hat-npm-packages-compromised-to-steal-developer-credentials/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to the Miasma supply chain attack as it could have constrained the malware's ability to escalate privileges, move laterally, and exfiltrate sensitive data, thereby reducing the attack's overall impact.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: The CNSF may have limited the execution of unauthorized scripts by enforcing strict workload isolation and identity-based access controls.
Control: Zero Trust Segmentation
Mitigation: Zero Trust Segmentation would likely have constrained the malware's ability to escalate privileges by enforcing strict identity-based access controls and limiting unauthorized access.
Control: East-West Traffic Security
Mitigation: East-West Traffic Security would likely have limited the malware's lateral movement by enforcing strict segmentation and monitoring of internal traffic.
Control: Multicloud Visibility & Control
Mitigation: Multicloud Visibility & Control may have constrained the malware's ability to establish command and control channels by monitoring and controlling outbound communications.
Control: Egress Security & Policy Enforcement
Mitigation: Egress Security & Policy Enforcement would likely have limited data exfiltration by enforcing strict policies on outbound traffic.
The overall impact of the attack would likely have been reduced, with compromised environments being isolated to prevent further supply chain compromises.
Impact at a Glance
Affected Business Functions
- Software Development
- Continuous Integration/Continuous Deployment (CI/CD)
- Cloud Services Management
Estimated downtime: 7 days
Estimated loss: $500,000
Developer credentials, cloud secrets, SSH keys, CI/CD tokens
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation to restrict lateral movement and limit the spread of malware within the network.
- • Enhance Threat Detection & Anomaly Response capabilities to identify and respond to unusual activities indicative of supply chain attacks.
- • Enforce Egress Security & Policy Enforcement to monitor and control outbound traffic, preventing unauthorized data exfiltration.
- • Utilize Multicloud Visibility & Control to gain comprehensive insights into cloud environments and detect anomalous interactions.
- • Apply Inline IPS (Suricata) to inspect traffic for known exploit patterns and block malicious payloads effectively.
