Preinstall to persistence: Inside the npm Miasma credential-stealing campaign
Microsoft Threat Intelligence identified a large-scale npm supply chain attack involving 32 malicious packages under the @redhat-cloud-services scope. The attack originated from compromise of the RedHatInsights/javascript-clients CI/CD pipeline, allowing attackers to publish trojanized packages via legitimate GitHub Actions OIDC workflows with authentic provenance signatures. These malicious packages used npm preinstall hooks to execute a heavily obfuscated dropper that downloaded the Bun JavaScript runtime and launched payloads to steal credentials from multiple cloud and developer platforms. The malware harvested secrets from GitHub Actions runner memory, escalated privileges using passwordless sudo, exfiltrated data through GitHub infrastructure, and propagated by compromising additional maintainer packages with forged SLSA provenance. The campaign is marked by the identifier "Miasma: The Spreading Blight. " No patch or remediation guidance is currently provided by the vendor.
AI Analysis
Technical Summary
This threat is a supply chain attack targeting npm packages within the @redhat-cloud-services scope, discovered by Microsoft Threat Intelligence. Attackers compromised the RedHatInsights/javascript-clients CI/CD pipeline, enabling them to publish malicious packages signed with legitimate GitHub Actions OIDC workflow provenance. The malicious packages execute a large obfuscated dropper during npm preinstall hooks, which downloads the Bun JavaScript runtime and runs payloads designed to steal credentials from GitHub, npm, AWS, Azure, GCP, HashiCorp Vault, Kubernetes, and developer systems. The malware scrapes secrets from GitHub Actions runner memory, escalates privileges via passwordless sudo, exfiltrates stolen data through GitHub infrastructure, and spreads by compromising additional maintainer packages with forged SLSA provenance signatures. The campaign is identified as "Miasma: The Spreading Blight." There is no known patch or official fix available at this time.
Potential Impact
The attack compromises the integrity of npm packages in a widely used scope, enabling credential theft across multiple cloud platforms and developer environments. It allows attackers to escalate privileges on compromised systems and exfiltrate sensitive secrets and credentials through trusted GitHub infrastructure. The propagation mechanism threatens the broader npm ecosystem by compromising additional maintainer packages with forged provenance, increasing the risk of widespread credential theft and supply chain contamination.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since no official fix or patch is currently available, organizations should monitor official advisories from Red Hat, Microsoft, and npm for updates. Review CI/CD pipeline security, especially GitHub Actions OIDC workflows, and audit package provenance and maintainers for suspicious activity. Consider temporarily restricting use of packages under the @redhat-cloud-services scope until further notice. Employ credential rotation and enhanced monitoring for affected cloud and developer accounts as a precaution.
Indicators of Compromise
- hash: 396cac9e457ec54ff6d3f6311cb5cc1da8054d019ce3ffa1de5741506c7a4ea4
- hash: d8d170af3de17bb9b217c52aaaffdf9395f35ef015a57ef676e406c121e5e223
- hash: 25e121e3b7d300c0d0075b33e5eca39a3e6a659fb9cfee52b70ef71686628f1b
- hash: d5a97614d5319ce9c8e01fa0b4eb06fb5b9e54fa13b23d718174a1546444123b
- hash: f0641e053e81f0d01fa46db35a83e0a34494886503086866d956d14e81fd3e1c
- hash: f88258e21592084a2f93a572ade8f9b91c0cd0e242f5cf6121ed7bad0f7bdd1f
Preinstall to persistence: Inside the npm Miasma credential-stealing campaign
Description
Microsoft Threat Intelligence identified a large-scale npm supply chain attack involving 32 malicious packages under the @redhat-cloud-services scope. The attack originated from compromise of the RedHatInsights/javascript-clients CI/CD pipeline, allowing attackers to publish trojanized packages via legitimate GitHub Actions OIDC workflows with authentic provenance signatures. These malicious packages used npm preinstall hooks to execute a heavily obfuscated dropper that downloaded the Bun JavaScript runtime and launched payloads to steal credentials from multiple cloud and developer platforms. The malware harvested secrets from GitHub Actions runner memory, escalated privileges using passwordless sudo, exfiltrated data through GitHub infrastructure, and propagated by compromising additional maintainer packages with forged SLSA provenance. The campaign is marked by the identifier "Miasma: The Spreading Blight. " No patch or remediation guidance is currently provided by the vendor.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This threat is a supply chain attack targeting npm packages within the @redhat-cloud-services scope, discovered by Microsoft Threat Intelligence. Attackers compromised the RedHatInsights/javascript-clients CI/CD pipeline, enabling them to publish malicious packages signed with legitimate GitHub Actions OIDC workflow provenance. The malicious packages execute a large obfuscated dropper during npm preinstall hooks, which downloads the Bun JavaScript runtime and runs payloads designed to steal credentials from GitHub, npm, AWS, Azure, GCP, HashiCorp Vault, Kubernetes, and developer systems. The malware scrapes secrets from GitHub Actions runner memory, escalates privileges via passwordless sudo, exfiltrates stolen data through GitHub infrastructure, and spreads by compromising additional maintainer packages with forged SLSA provenance signatures. The campaign is identified as "Miasma: The Spreading Blight." There is no known patch or official fix available at this time.
Potential Impact
The attack compromises the integrity of npm packages in a widely used scope, enabling credential theft across multiple cloud platforms and developer environments. It allows attackers to escalate privileges on compromised systems and exfiltrate sensitive secrets and credentials through trusted GitHub infrastructure. The propagation mechanism threatens the broader npm ecosystem by compromising additional maintainer packages with forged provenance, increasing the risk of widespread credential theft and supply chain contamination.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since no official fix or patch is currently available, organizations should monitor official advisories from Red Hat, Microsoft, and npm for updates. Review CI/CD pipeline security, especially GitHub Actions OIDC workflows, and audit package provenance and maintainers for suspicious activity. Consider temporarily restricting use of packages under the @redhat-cloud-services scope until further notice. Employ credential rotation and enhanced monitoring for affected cloud and developer accounts as a precaution.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://www.microsoft.com/en-us/security/blog/2026/06/02/preinstall-persistence-inside-red-hat-npm-miasma-credential-stealing-campaign/"]
- Adversary
- null
- Pulse Id
- 6a214311a2c1a61296efbdc5
- Threat Score
- null
Indicators of Compromise
Hash
| Value | Description | Copy |
|---|---|---|
hash396cac9e457ec54ff6d3f6311cb5cc1da8054d019ce3ffa1de5741506c7a4ea4 | — | |
hashd8d170af3de17bb9b217c52aaaffdf9395f35ef015a57ef676e406c121e5e223 | — | |
hash25e121e3b7d300c0d0075b33e5eca39a3e6a659fb9cfee52b70ef71686628f1b | — | |
hashd5a97614d5319ce9c8e01fa0b4eb06fb5b9e54fa13b23d718174a1546444123b | — | |
hashf0641e053e81f0d01fa46db35a83e0a34494886503086866d956d14e81fd3e1c | — | |
hashf88258e21592084a2f93a572ade8f9b91c0cd0e242f5cf6121ed7bad0f7bdd1f | — |
Threat ID: 6a214670e29bf47b508d1eff
Added to database: 6/4/2026, 9:33:36 AM
Last enriched: 6/4/2026, 9:48:28 AM
Last updated: 6/4/2026, 11:58:02 AM
Views: 9
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.