Overview
- Security teams discovered that at least 32 @redhat-cloud-services npm packages and many versions were tampered with to include an obfuscated preinstall payload that runs during npm install and harvests credentials.
- The malware, called Miasma, is a heavily modified Mini Shai‑Hulud variant that collects GitHub Action secrets, npm tokens, SSH keys, Kubernetes and Vault material, and GCP, Azure and AWS identity data and then encrypts the loot for exfiltration.
- Analyses show stolen data is sent to an external web endpoint (reported as api.anthropic[.]com:443/v1/api) and the payload can fall back to committing encrypted data into attacker-controlled GitHub repos for exfiltration.
- Evidence points to a compromised Red Hat employee GitHub account used to push malicious commits and publish the backdoored releases on June 1, but attribution remains uncertain because the underlying toolset has been publicly released and can be copied.
- Most malicious versions were revoked and Red Hat removed affected development-tooling packages from npm, and responders say organizations that installed those versions must rotate secrets, suspend affected CI runs, image and hunt infected hosts, and harden publishing pipelines.