Full Report
On 1 June 2026, Wiz Research identified a supply chain compromise affecting multiple packages published under the @redhat-cloud-services npm namespace. Investigation revealed that at least 29 package releases contained unauthorized modifications that did not match the correspo...
Analysis Summary
# Incident Report: Miasma Supply Chain Compromise
## Executive Summary
On June 1, 2026, a supply chain compromise was detected involving the `@redhat-cloud-services` npm namespace, where 29 package releases were found to be trojanized. The attackers injected a modified version of the "Shai-Hulud" malware, dubbed **Miasma**, designed to exfiltrate cloud identities from GCP and Azure environments. The incident highlights an evolving threat landscape where attackers prioritize organizational cloud access over simple credential theft.
## Incident Details
- **Discovery Date:** June 1, 2026
- **Incident Date:** May/June 2026 (Ongoing at time of discovery)
- **Affected Organization:** Red Hat (specifically packages under the `@redhat-cloud-services` namespace)
- **Sector:** Information Technology / Software Development
- **Geography:** Global (via npm registry)
## Timeline of Events
### Initial Access
- **Date/Time:** Circa late May 2026
- **Vector:** Supply Chain Compromise (Unauthorized publication to npm)
- **Details:** Attackers gained the ability to publish unauthorized versions of 29 packages under the `@redhat-cloud-services` scope. The exact method of account or CI/CD compromise is not specified, but the published artifacts did not match the official source repositories.
### Lateral Movement
- **Mechanism:** Installation-time execution. The malware utilized `preinstall` scripts in `package.json` to automatically trigger a malicious `index.js` file when a developer or automated system downloaded the package.
### Data Exfiltration/Impact
- **Details:** The malware targeted Cloud Identities. Specifically, it utilized new collectors for Google Cloud Platform (GCP) and Azure to harvest all identities accessible from the infected machine/environment.
### Detection & Response
- **Discovery:** Identified by Wiz Research through automated scanning and source-to-binary discrepancy analysis.
- **Response Actions:** Investigation of the `@redhat-cloud-services` namespace; identification of 29 trojanized releases; analysis of the "Miasma" payload.
## Attack Methodology
- **Initial Access:** Supply Chain Compromise (npm namespace).
- **Persistence:** Dependency-based persistence; the malware executes every time the package is installed or updated in a CI/CD pipeline or developer environment.
- **Defense Evasion:** Heavily obfuscated JavaScript files, use of `eval()`, and ROT-based decoding; naming conventions changed from "Dune" themes to "Greek Mythology" (Spartan) to avoid signature-based detection of known Shai-Hulud malware.
- **Collection:** Focused on cloud identity metadata for GCP and Azure.
- **Exfiltration:** Automated exfiltration of collected cloud identities to attacker-controlled infrastructure.
- **Impact:** High potential for unauthorized cloud access and environment-wide compromise.
## Impact Assessment
- **Financial:** Not publicly disclosed; potential for significant losses if cloud identities were used for resource hijacking.
- **Data Breach:** Exposure of cloud service accounts, user identities, and environment metadata.
- **Operational:** Disruption to Red Hat’s cloud services development pipeline and requirement for emergency package rotations.
- **Reputational:** High-profile compromise of a trusted enterprise software vendor (Red Hat).
## Indicators of Compromise
- **File Indicators:**
- Malicious `index.js` files within `@redhat-cloud-services` packages.
- Large, obfuscated JS files containing `eval()` and ROT decoding.
- **Behavioral Indicators:**
- npm `preinstall` scripts executing unexpected external scripts.
- Unauthorized API calls to GCP/Azure metadata services or identity endpoints from local dev machines.
- **Other:** Repositories created with the description "Miasma: The Spreading Blight."
## Response Actions
- **Containment:** Removal or deprecation of the 29 compromised package versions from the npm registry.
- **Eradication:** Analysis of the "Miasma" (Spartan) variant to develop detection signatures.
- **Recovery:** Coordination with Red Hat to ensure source integrity and security of the publishing pipeline.
## Lessons Learned
- **Source-to-Package Divergence:** The incident underscores the risk of relying on package managers without verifying that the binaries match the public source code.
- **Cloud Identity Targeted:** Attackers are shifting from stealing static secrets (keys) to harvesting full cloud identities to maintain broader access to cloud environments.
## Recommendations
- **Binary Verification:** Implement tools to verify that npm packages match their corresponding GitHub source code tag.
- **Registry Security:** Enforce Multi-Factor Authentication (MFA) for all maintainers and use "Provenance" features provided by npm to link builds to source.
- **Principle of Least Privilege:** Limit the scope of cloud identities available on developer machines and CI/CD runners to prevent mass identity harvesting.
- **Dependency Pinning:** Use lockfiles (`package-lock.json`) and audit them regularly for unauthorized version jumps in sensitive namespaces.