At the end of May, cybercriminals distributed malicious versions of npm packages in a supply chain attack that occurred using a Mini Shai Hulud clone. The malware, which calls itself Miasma, targeted Red Hat's Managed Cloud Services. No malicious package versions are currently in circulation. Security experts still recommend rotating credentials.
Continue after ad
Miasma is a variant of the Shai Hulud worm. According to Socket security researchers, it introduced 96 malicious versions of 32 npm packages that can be assigned to the namespace @redhat-cloud-services. There were a total of three attack waves, each traceable to compromised accounts of project maintainers.
According to Red Hat, all three waves have now been stopped. The provider emphasized that the affected packages were intended exclusively for internal development. No impact on customer environments or production systems has been detected so far.
Affected packages include @redhat-cloud-services/vulnerabilities-client, @redhat-cloud-services/tsc-transform-imports, @redhat-cloud-services/topological-inventory-client, @redhat-cloud-services/sources-client, and @redhat-cloud-services/rule-components. OX Security has counted that together they have more than 100,000 downloads weekly.
Miasma follows the classic Mini Shai Hulud scheme: the malware uses stolen credentials to place manipulated npm packages in the CI/CD supply chain. These then exfiltrate a variety of sensitive information, including access credentials for Amazon Web Services (AWS) as well as SSH keys, crypto wallets, npm, and GitHub tokens. The stolen data is sent encrypted to a new GitHub repository created by the malware. GitHub accounts compromised by Miasma can be identified by the text line „Miasma : The Spreading Blight“ in the README.md.
The Miasma cyberattack follows the infection pattern of other supply chain attacks, which run under the self-designation Mini Shai Hulud and have targeted, among others, npm packages from SAP and TanStack since the end of April. And it could be related to the cyber gang TeamPCP, which published the source code of the npm worm Shai Hulud on GitHub in mid-May and simultaneously called for a competition for the largest supply chain attack. Shortly thereafter, the first clones appeared, one of which recently targeted AntV.
