216.73.216.133

Preinstall to persistence: Inside the npm Miasma credential-stealing campaign

· Published 04/06/2026 11:19 · Modified 04/06/2026 09:39

Export JSON

Essential information

Published
04/06/2026 11:19
Modified
04/06/2026 09:39
Source / Author
AlienVault
Confidence
100/100
Report type(s)
threat-report
Labels / Tags
github actions oidc workflow abuse slsa provenance forgery supply chain attack
Tags
2026-06-04 github actions oidc workflow abuse slsa provenance forgery supply chain attack
Related entities
6 indicators, 6 observables, 20 techniques (mitre)

Description

Microsoft Threat Intelligence discovered a large-scale npm compromising 32 malicious packages across over 90 versions under the @redhat-cloud-services scope. The compromise originated from the RedHatInsights/javascript-clients CI/CD pipeline, enabling attackers to publish trojanized packages through legitimate OIDC workflows with authentic provenance signatures. The malicious packages executed a heavily obfuscated 4.29 MB dropper via npm preinstall hooks, which downloaded the Bun JavaScript runtime and launched payloads designed to harvest credentials from GitHub, npm, AWS, Azure, GCP, HashiCorp Vault, Kubernetes, and developer systems. The malware scraped runner memory for secrets, escalated privileges using passwordless sudo, exfiltrated stolen data through GitHub infrastructure, and propagated by compromising additional maintainer packages with forged SLSA provenance. The campaign marker "Miasma: The Spreading Blight" was embedded throughout the malicious

External references