Wiz — Miasma Supply Chain Attack on Red Hat npm Packages

AI relevance: One of the compromised repositories was RedHatInsights/platform-frontend-ai-toolkit, and the packages average ~80,000 weekly downloads — any AI platform or tooling consuming these packages inherits the credential-stealing payload at install time.

What happened

• Wiz Research identified a supply-chain compromise on June 1, 2026 affecting 32 package releases under the @redhat-cloud-services npm scope.
• The attack vector: a compromised Red Hat employee GitHub account pushed malicious orphan commits to two RedHatInsights repositories, bypassing code review entirely.
• Malicious commits added GitHub Actions workflows that request OIDC tokens (id-token: write) and publish packages with valid SLSA provenance attestations — making them appear trustworthy.
• The payload is derived from the open-sourced "Mini Shai-Hulud" malware (TeamPCP), with cosmetic changes replacing Dune references with Greek mythology themes ("spartan").
• New in this variant: collectors for GCP and Azure identities, plus per-infection uniquely encrypted payloads that defeat hash-based detection.
• Two waves of activity occurred: first at ~10:53 UTC and second at ~13:44 UTC on June 1.
• Affected packages include @redhat-cloud-services/hcc-pf-mcp (an MCP server package), platform-frontend-ai-toolkit, and 30+ others.
• Most malicious versions were revoked by 1PM UTC on June 1, but some remained outstanding for hours.

Why it matters

• The inclusion of MCP server packages in the compromised scope means AI agent tooling is directly in the blast radius.
• Valid SLSA provenance on malicious packages undermines trust in software supply-chain attestation systems.
• The shift from credential theft to cloud identity harvesting (GCP + Azure) signals attackers targeting the cloud environment that hosts AI infrastructure.
• Per-infection unique payloads represent an evolution in supply-chain malware designed specifically to evade IOC-based detection.
• AI ops teams consuming Red Hat packages for platform tooling should assume their CI/CD pipelines may be compromised.

What to do

• Check dependency trees for any @redhat-cloud-services packages at the compromised versions listed in Wiz's advisory.
• Assume exposure of GitHub tokens, SSH keys, cloud credentials, and CI/CD secrets — rotate all of them.
• Audit GitHub activity for unauthorized repositories, newly created access tokens, or suspicious workflow executions on RedHatInsights repos.
• Implement dependency allowlisting and SBOM generation to detect unexpected package versions.
• Review VSCode extensions and developer workstations for signs of compromise.

Sources

• Wiz — Miasma: Supply Chain Attack Targeting RedHat npm Packages
• The Hacker News — Miasma Supply Chain Attack Compromises Red Hat npm Packages
• CyberSecurityNews — Multiple Red Hat Cloud Services npm Packages Compromised
• TechZine — Microsoft Discovers New npm Attack in 14 Packages