Miasma Supply Chain Attack Compromises Red Hat npm Packages with Credential-Stealing Worm

Source Domain: thehackernews.com

A new Mini Shai-Hulud supply chain attack campaign, codenamed Miasma, has compromised @redhat-cloud-services packages to steal credentials and secrets from developer machines and deliver a self-propagating worm.

“This is effectively a Mini Shai-Hulud campaign: it uses the same core tactics of install-time execution, credential harvesting, CI/CD targeting, encrypted exfiltration, and potential downstream propagation,” Socket said.

Exactly who is behind the attack activity is presently unknown given that TeamPCP, an infamous cybercrime group, has open-sourced the attack tools linked to the Shai-Hulud worm, opening the door for other threat actors to pull off similar attacks and making definitive attribution harder.

The names of some of the affected packages are listed below –

@redhat-cloud-services/vulnerabilities-client
@redhat-cloud-services/tsc-transform-imports
@redhat-cloud-services/topological-inventory-client
@redhat-cloud-services/sources-client
@redhat-cloud-services/rule-components
@redhat-cloud-services/remediations-client
@redhat-cloud-services/rbac-client

Per analyses from Aikido Security, JFrog, Microsoft, OX Security, SafeDep, StepSecurity, and Wiz, the npm packages contain an obfuscated preinstall hook that’s designed to collect GitHub Actions secrets, npm tokens, cloud credentials, Kubernetes and Vault material, SSH keys, Git credentials, and other sensitive files.

Like observed in prior Mini Shai-Hulud waves, the malware also contains encrypted exfiltration logic that transmits the data to “api.anthropic[.]com:443/v1/api” and uses GitHub as a fallback mechanism. This indicates attempts made by the attacker to both steal credentials and weaponize them to further poison the software supply chain.

“It commits the encrypted result envelope through the GitHub API,” Socket said. “The commit message can include: IfYouInvalidateThisTokenItWillNukeTheComputerOfTheOwner:.”