Operation "Miasma": Red Hat cloud services hit by mass account-stealing cyberattack
- 5 hours ago
- 3 min read
A massive supply chain cyberattack has recently been uncovered, turning trusted open-source code libraries into active tools of espionage. Named "Miasma: The Spreading Blight," this dangerous campaign directly endangers development environments and cloud infrastructure through official package releases from Red Hat.
The sophistication of the "Miasma" campaign
This critical security incident was discovered by cybersecurity researchers from Aikido and JFrog. According to reports, the attack successfully compromised 32 distinct packages and 96 library versions, primarily concentrated under the "@redhat-cloud-services" namespace.
The threat actors deployed a new variant of Mini Shai-Hulud - a dedicated malware family engineered for targeted credential harvesting, heavily linked to the cybercriminal group known as TeamPCP.
This indicates a direct compromise of Red Hat's automated release workflows or CI/CD infrastructure, allowing the malware to be distributed seamlessly from the very source developers inherently trust.
Automated execution and deep secret harvesting
The attackers meticulously embedded the malicious payload within the preinstall script of the package.json configuration file. As a result, simply running a standard installation command (npm install) triggers the malware immediately, executing even before the actual dependency installation concludes. To slip past security monitoring tools, the malicious payload was heavily obfuscated and encrypted across multiple layers.
Once active, the malware aggressively scans the developer's workstation, automated systems, and cloud infrastructure to siphon off high-value secrets, including:
GitHub access tokens, GitHub Actions OIDC tokens, as well as npm and PyPI tokens.
Secure access keys for major cloud hyperscalers: AWS, Azure, and Google Cloud Platform (GCP).
Kubernetes service account credentials, Vault tokens, SSH keys, Docker credentials, and configuration files holding sensitive environment variables like .env.
Traffic cloaking and a destructive "dead-man switch"
To exfiltrate stolen credentials covertly without triggering security alerts, the campaign relies on two highly deceptive stealth strategies:
Masquerading as AI Network Activity: The malware routes exfiltrated data to [api.anthropic.com/v1/api](https://api.anthropic.com/v1/api). While this is an invalid endpoint for the AI provider Anthropic, the domain is legitimate enough to blend perfectly into the normal web traffic of enterprises adopting AI tools, masking the data theft from network monitors.
Exploiting GitHub as a transit station: The threat actors automatically spin up public repositories directly under the victim's own GitHub account, applying the campaign description "Miasma: The Spreading Blight." It then uploads JSON files containing the harvested secrets into these repositories. This leverage of official infrastructure drastically reduces their reliance on dedicated, easily blockable command-and-control (C2) servers.
Urgent remediation and mitigation steps
For organizations and engineering teams that have pulled down packages from the Red Hat ecosystem since June 1, 2026, security experts strongly urge the immediate execution of the following remediation steps:
Purge Affected Packages: Run npm uninstall to clear out all compromised packages and regenerate clean project lockfiles from trusted metadata registries.
Block Untrusted Scripts: Enforce the use of npm ci --ignore-scripts within your automated CI/CD pipelines to prevent malicious preinstall hooks from executing automatically.
Eradicate Footholds: Locate and terminate the underlying kitty-monitor and gh-token-monitor background processes prior to revoking or rotating any access tokens.
Audit Editor and AI Configurations: Carefully inspect internal paths such as .claude/settings.json, .vscode/tasks.json, and ~/.config/index.js to uncover and strip away any unauthorized code injections or hooks.
Rotate All Credentials: Re-issue and cycle all GitHub tokens, npm tokens, cloud infrastructure access keys, SSH keys, and other core secrets only after confirming the environment has been fully sanitized.
IPSIP Vietnam: delivering leading cybersecurity solutions for enterprises
Rooted in over 15 years of rich experience spanning back to France, the IPSIP Vietnam ecosystem positions itself as a premier strategic partner. We offer a sharp, comprehensive understanding of risk management and autonomous malware interception tailored for the digital era.
IPSIP Vietnam’s management and monitoring systems have successfully cleared rigorous audits to achieve world-class information security certifications, including ISO 27001:2022 and SOC 2 Type II. By providing critical, round-the-clock (24/7) services-such as our Security Operations Center (SOC), Network Operations Center (NOC), and a dedicated IT Support/Helpdesk squad-IPSIP guarantees immediate response and mitigation against any intrusion attempt, day or night. Partnering with our elite technical experts allows businesses to completely eliminate compliance and legal risks, freeing up vital resources to focus on growth objectives.
References
Comments