Preinstall to persistence: Inside the Red Hat npm Miasma credential-stealing campaign
A large-scale npm supply chain attack compromised over 90 versions of @redhat-cloud-services packages, infecting CI/CD environments and developer systems. The malicious code steals credentials from GitHub, cloud platforms, and local machines, then spreads by republishing trusted packages. This campaign, named Miasma, enables persistent credential theft and propagation within development ecosystems. The attack targets local developer environments and continuous integration pipelines, posing a medium-level threat to organizations relying on these packages. No explicit patch or remediation details are provided in the available data. Organizations should review the Microsoft Security Blog article for detailed technical guidance and monitor for updates from Red Hat or npm regarding fixes or mitigations.
AI Analysis
Technical Summary
The Miasma campaign is a supply chain attack that compromised over 90 versions of @redhat-cloud-services npm packages. The malicious code executes during the preinstall phase, stealing credentials from GitHub, cloud services, and local machines. It propagates by republishing compromised packages, effectively worming through developer and CI/CD environments. This attack leverages trusted package names to maintain persistence and evade detection. The campaign was detailed by Microsoft Security Blog, highlighting the attack vector, affected components, and the nature of credential theft. No direct patch or vendor advisory is referenced, and the attack is not cloud-service hosted, indicating remediation depends on package updates and developer vigilance.
Potential Impact
The attack results in theft of sensitive credentials from developer machines and CI/CD environments, including GitHub tokens and cloud platform credentials. This can lead to unauthorized access to source code repositories, cloud resources, and potentially further lateral movement within affected organizations. The malicious packages also self-propagate by republishing under trusted package names, increasing the scope of infection. The medium severity reflects the significant but not immediately critical impact, given the need for local execution and developer environment compromise.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Organizations should monitor official Red Hat and npm advisories for updates or patches addressing the compromised packages. Until patches are available, avoid using affected versions of @redhat-cloud-services packages and consider auditing CI/CD pipelines and developer environments for suspicious activity. Review the detailed Microsoft Security Blog article for recommended detection and containment strategies. No vendor advisory explicitly states 'no action required' or 'already mitigated,' so proactive investigation and cautious package management are advised.
Preinstall to persistence: Inside the Red Hat npm Miasma credential-stealing campaign
Description
A large-scale npm supply chain attack compromised over 90 versions of @redhat-cloud-services packages, infecting CI/CD environments and developer systems. The malicious code steals credentials from GitHub, cloud platforms, and local machines, then spreads by republishing trusted packages. This campaign, named Miasma, enables persistent credential theft and propagation within development ecosystems. The attack targets local developer environments and continuous integration pipelines, posing a medium-level threat to organizations relying on these packages. No explicit patch or remediation details are provided in the available data. Organizations should review the Microsoft Security Blog article for detailed technical guidance and monitor for updates from Red Hat or npm regarding fixes or mitigations.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The Miasma campaign is a supply chain attack that compromised over 90 versions of @redhat-cloud-services npm packages. The malicious code executes during the preinstall phase, stealing credentials from GitHub, cloud services, and local machines. It propagates by republishing compromised packages, effectively worming through developer and CI/CD environments. This attack leverages trusted package names to maintain persistence and evade detection. The campaign was detailed by Microsoft Security Blog, highlighting the attack vector, affected components, and the nature of credential theft. No direct patch or vendor advisory is referenced, and the attack is not cloud-service hosted, indicating remediation depends on package updates and developer vigilance.
Potential Impact
The attack results in theft of sensitive credentials from developer machines and CI/CD environments, including GitHub tokens and cloud platform credentials. This can lead to unauthorized access to source code repositories, cloud resources, and potentially further lateral movement within affected organizations. The malicious packages also self-propagate by republishing under trusted package names, increasing the scope of infection. The medium severity reflects the significant but not immediately critical impact, given the need for local execution and developer environment compromise.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Organizations should monitor official Red Hat and npm advisories for updates or patches addressing the compromised packages. Until patches are available, avoid using affected versions of @redhat-cloud-services packages and consider auditing CI/CD pipelines and developer environments for suspicious activity. Review the detailed Microsoft Security Blog article for recommended detection and containment strategies. No vendor advisory explicitly states 'no action required' or 'already mitigated,' so proactive investigation and cautious package management are advised.
Technical Details
- Article Source
- {"url":"https://www.microsoft.com/en-us/security/blog/2026/06/02/preinstall-persistence-inside-red-hat-npm-miasma-credential-stealing-campaign/","fetched":true,"fetchedAt":"2026-06-03T22:57:20.219Z","wordCount":3342}
Threat ID: 6a20b152e29bf47b50fab994
Added to database: 6/3/2026, 10:57:22 PM
Last enriched: 6/3/2026, 10:57:27 PM
Last updated: 6/4/2026, 12:01:25 AM
Views: 6
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.