Full Report
Detect and mitigate malicious npm packages linked to the latest npm supply chain attack, based on the open sourced Mini Shai-Hulud malware.
Analysis Summary
# Incident Report: Miasma Supply Chain Attack on RedHat npm Packages
## Executive Summary
In June 2026, a supply chain compromise was identified affecting 32 npm packages under the `@redhat-cloud-services` namespace. The attack involved injecting a malicious payload named "Miasma," a variant of the open-source "Mini Shai-Hulud" malware, designed to exfiltrate developer credentials and secrets. With approximately 80,000 weekly downloads, the incident posed a significant risk to organizations utilizing RedHat’s cloud services infrastructure.
## Incident Details
- **Discovery Date:** June 1, 2026
- **Incident Date:** Circa May/June 2026 (ongoing at time of discovery)
- **Affected Organization:** RedHat (Specifically `@redhat-cloud-services` namespace)
- **Sector:** Technology / Software Development
- **Geography:** Global
## Timeline of Events
### Initial Access
- **Date/Time:** Prior to June 1, 2026
- **Vector:** Unauthorized modification of npm package releases.
- **Details:** Attackers gained the ability to publish malicious versions of legitimate packages under the `@redhat-cloud-services` namespace. These modified versions did not match the official source repositories.
### Lateral Movement
- **Details:** The malware targets the local environment of developers and CI/CD pipelines. It attempts to harvest GitHub tokens, SSH keys, cloud provider credentials, and secrets stored in VSCode extensions or CI/CD workflow variables to move further into organizational infrastructure.
### Data Exfiltration/Impact
- **Details:** Unauthorized access to and exfiltration of sensitive developer secrets and authentication tokens. Potential compromise of downstream software products built using the infected packages.
### Detection & Response
- **How it was discovered:** Identified by Wiz Research through analysis of npm registry anomalies and package integrity checks.
- **Response actions taken:** Discovery of 32 compromised packages; public advisory issued; recommendations for secret rotation and package auditing provided to the community.
## Attack Methodology
- **Initial Access:** Supply Chain Compromise (unauthorized npm package publication).
- **Persistence:** High; the malware is embedded in the `preinstall` scripts of packages, ensuring execution whenever the package is installed or updated.
- **Defense Evasion:** Use of heavy JavaScript obfuscation, `eval()` functions, and ROT-based encoding to hide malicious logic.
- **Credential Access:** Key focus on harvesting SSH keys, GitHub tokens, and cloud credentials from developer workstations.
- **Discovery:** Scans for local VSCode extensions, GitHub Actions configurations, and CI/CD environment variables.
- **Impact:** Potential for full account takeover of developer environments and downstream supply chain contamination.
## Impact Assessment
- **Financial:** High (indirect costs related to incident response and credential rotation).
- **Data Breach:** Exposure of highly sensitive development secrets and access tokens.
- **Operational:** Disruption to CI/CD pipelines as organizations pause builds to audit dependencies and rotate keys.
- **Reputational:** Significant impact on the perceived security of the RedHat npm ecosystem.
## Indicators of Compromise
- **File indicators:** Modified `index.js` files within npm packages containing obfuscated ROT-based code.
- **Behavioral indicators:**
- Unexpected execution of `preinstall` scripts during `npm install`.
- Unauthorized GitHub repository creation or workflow modifications.
- Description strings in repositories containing: `Miasma: The Spreading Blight`.
- References to "Spartan" or Greek mythology themes in obfuscated code scripts.
## Response Actions
- **Containment measures:** Identification and flagging of the 32 compromised package versions.
- **Eradication steps:** Advised removal of affected package versions and replacement with known-good versions.
- **Recovery actions:** Blanket rotation of all GitHub tokens, SSH keys, and cloud credentials for users who interacted with the affected packages.
## Lessons Learned
- **Key takeaways:** Open-source malware (like Mini Shai-Hulud) can be easily rebranded and redeployed by copycat actors.
- **What could have been done better:** Stricter enforcement of MFA for package publishing and automated integrity checks between source code repositories and npm registry binaries could have shortened the detection window.
## Recommendations
- **Prevention:**
- Implement **Package Verification** and dependency allowlisting.
- Enforce **SBOM** (Software Bill of Materials) generation to track dependencies.
- Monitor for any `preinstall` or `postinstall` scripts in third-party packages.
- Utilize tools that compare npm Registry content against GitHub source code to detect discrepancies.