Supply chain attacks used to be the kind of thing that happened to other companies, in other ecosystems. Then Miasma showed up and made it very personal for Red Hat — and anyone who runs npm install.
On May 29, 2026, attackers compromised a Red Hat employee's GitHub account and pushed malicious orphan commits to two RedHatInsights repositories, bypassing code review entirely. The payload — cheekily named "Miasma: The Spreading Blight" after an open-sourced codebase called Mini Shai-Hulud — was injected into at least 7 packages in the official @redhat-cloud-services npm scope, including vulnerabilities-client, tsc-transform-imports, and topological-inventory-client. Names that inspire confidence, which is exactly the point. Those packages collectively receive more than 116,991 downloads per week.
The attack mechanics are genuinely alarming. Miasma runs via a preinstall lifecycle hook, meaning it executes automatically during npm install — before your application code ever touches the disk. Once running, it sweeps your environment with breathtaking thoroughness: GitHub Actions secrets, AWS access keys and session tokens, GCP application default credentials, Azure service principal credentials, HashiCorp Vault tokens, Kubernetes service account files, npm and PyPI publish tokens, SSH private keys, Docker registry credentials, GPG keys, and every .env file in reach. Then — the worm part — it uses your stolen npm OIDC tokens to republish itself into other packages you maintain, spreading laterally through the ecosystem. A coalition of firms including Socket, Aikido Security, JFrog, Microsoft, and Wiz identified it; Red Hat has since removed the malicious versions.
The broader lesson is one the industry keeps learning the hard way: supply chain is now the primary attack surface for sophisticated threat actors. When compromising one employee account lets you reach 116,991 weekly download events with credential-harvesting malware, you do not need to attack targets directly. You wait for them to run npm install on your trojan horse. Miasma is built on a publicly available foundation, which means copycats are a question of when, not if.
Audit your @redhat-cloud-services dependencies. Review your npm token policies. Check your preinstall hook configurations. And remember: "official package from a major vendor" is a trust signal, not a security guarantee.
Source: The Hacker News