The Attack Mechanism
A sophisticated supply chain attack known as Miasma has infiltrated multiple npm packages associated with Red Hat Cloud Services. The compromised packages, including @redhat-cloud-services/vulnerabilities-client and @redhat-cloud-services/rbac-client, contain obfuscated preinstall hooks that activate upon installation. Once triggered, the malware systematically collects sensitive data from developer environments, including GitHub Actions secrets, npm tokens, cloud credentials, Kubernetes configurations, SSH keys, and other authentication materials.
The attack uses encrypted exfiltration channels to send stolen data to external servers, with GitHub serving as a fallback communication method. The malicious code specifically avoids execution on systems configured with Russian language settings, suggesting a targeted approach or a deliberate evasion technique.
Impact and Scope
The campaign builds on tactics previously seen in the Shai-Hulud worm operations, leveraging similar techniques of install time execution, credential harvesting, and CI/CD targeting. However, attribution has become challenging because the original threat group has made their attack tools publicly available. This open sourcing allows other malicious actors to replicate and modify the attack methods, expanding the potential scope of infections.
The compromised packages were hosted on the official npm registry, putting downstream users at risk of credential theft and potential further supply chain compromise. When the malware successfully steals credentials, it attempts to use them to poison additional software packages, creating a self propagating cycle. Security researchers from multiple firms, including Aikido Security, JFrog, Microsoft, and Wiz, have analyzed the threat and confirmed the presence of encrypted exfiltration logic designed to avoid detection.
Source: The Hacker News
