Palo Alto Unit 42 — Red Hat npm Supply Chain Attack and Miasma Malware

AI relevance: AI coding agents and CI/CD pipelines that install npm dependencies automatically are at heightened risk from the Miasma supply-chain malware, which harvests cloud credentials, Kubernetes tokens, and model API keys from infected developer environments — making this both a traditional supply-chain attack and an AI infrastructure threat.

• June 1, 2026: At least 32 packages under the @redhat-cloud-services npm namespace were compromised, with malicious versions averaging ~80,000 weekly downloads combined.
• The attacker gained access via a compromised Red Hat employee GitHub account and pushed malicious orphan commits directly to multiple RedHatInsights repositories, bypassing code review entirely.
• GitHub Actions workflows were triggered to request OIDC tokens, publishing trojanized packages with valid SLSA provenance — the certificate was accurate and the packages genuinely came from the legitimate pipeline, just with malware injected.
• The payload, named Miasma ("The Spreading Blight"), replaces a normal ~200 KB index.js with a 4.29 MB obfuscated blob — a 25× size increase that serves as a reliable detection signal.
• Miasma is derived from the Mini Shai-Hulud malware open-sourced by TeamPCP on May 12, 2026. TTPs are consistent with TeamPCP, though the public source release means any actor can replicate the attack.
• Stolen credential targets include: GitHub tokens, npm tokens, SSH keys, AWS/GCP/Azure credentials, Kubernetes service-account tokens, HashiCorp Vault secrets, and CI/CD secrets from GitHub Actions and CircleCI.
• This follows a pattern from the same campaign: in May, TeamPCP also compromised Checkmarx infrastructure, delivering a VS Code extension variant (mcpAddon.js) from an orphan commit — targeting security tooling vendors specifically.

Why it matters

AI agents and coding assistants increasingly install npm packages as part of development workflows. A trojanized dependency with valid SLSA provenance bypasses the trust assumptions that both humans and automated supply-chain scanners rely on. When AI coding agents encounter these packages during normal development, they install them without suspicion — turning the agent into an unwitting vector for credential theft and CI/CD compromise.

What to do

• Check for any @redhat-cloud-services package versions installed between June 1 and the fix date; remove and replace with clean versions.
• Rotate all npm tokens, GitHub PATs, cloud provider credentials, Kubernetes tokens, and Vault secrets that may have been exposed through npm install on affected systems.
• Monitor for the 25× file size anomaly: a sudden jump from ~200 KB to multi-megabyte index.js files in npm dependencies is a high-confidence detection signal for Miasma.
• Enforce package-lock integrity checks and consider pinning dependencies to verified hashes in CI/CD pipelines.
• AI coding agents should be configured to audit package sizes and provenance before installation, not just trust the registry.

Sources

• Palo Alto Networks Unit 42 — The npm Threat Landscape (Updated June 2)
• SecurityWeek — Supply Chain Attack Hits 32 Red Hat NPM Packages
• KuppingerCole — Your AI Agent Has a Supply Chain Problem