Miasma Supply Chain Attack Compromises Red Hat npm Packages, Steals Cloud and Vault Credentials

A new wave of the Shai-Hulud worm family, dubbed Miasma by researchers at Aikido Security and OX Security, has compromised 32 packages across 96 versions on the npm registry, with roughly 117,000 weekly downloads in aggregate and 309 GitHub repositories affected. The attack vector was a Red Hat employee”s compromised GitHub account, which the attacker used to push malicious commits that added automated workflows publishing backdoored packages via npm”s trusted-publishing endpoint.

The payload is the part of the disclosure that should change how every CISO thinks about developer-machine security through the rest of the year. The malware exfiltrates GitHub Actions secrets, AWS access keys, Google Cloud service account credentials, Azure tokens, HashiCorp Vault tokens, Kubernetes service account tokens, npm and PyPI publishing tokens, SSH keys, Docker credentials, GPG keys, and .env files. The effective scope is every secret on the infected developer machine. Once exfiltrated, the credentials are uploaded to attacker-controlled infrastructure and are immediately usable.

Red Hat, in its initial response, said the affected packages were “strictly internal” and never reached customers through console.redhat.com. The narrower scope of customer impact does not reduce the operational urgency. Any organization that had any of the affected packages on a developer machine or in a continuous-integration environment between the publication window and the disclosure window should now treat every secret on those machines as compromised. Rotating selectively does not work for this class of attack. The right posture is to rotate everything.

The broader pattern is what makes the disclosure consequential. The Shai-Hulud family has now hit Bitwarden, SAP, OpenAI, and Red Hat-adjacent projects in successive waves. Each wave has used a slightly different distribution mechanism but has converged on the same payload architecture. The Miasma variant”s use of npm”s trusted-publishing endpoint as the distribution vector is the most concerning evolution. Trusted publishing was designed to reduce the attack surface for package compromise; the campaign demonstrates that it can be turned into the distribution mechanism for the compromise it was meant to prevent.

For enterprise security operations, three immediate actions matter. First, scan dev-environment and CI logs for the indicators of compromise that Aikido and OX have published. Second, rotate any credential that any developer machine touched in the affected window. Third, treat npm trusted-publishing infrastructure as compromise-adjacent until the platform publishes a meaningful response to how the trusted-publishing endpoint was abused.

Watch for: secondary breaches at downstream consumers of the affected packages, npm”s response to the trusted-publishing exploitation pattern, and whether comparable campaigns appear on PyPI in the next 30 days.

Reporting based on BleepingComputer and The Hacker News coverage of the Miasma supply chain attack.