Miasma compromises 32 @redhat-cloud-services npm packages

Microsoft Threat Intelligence says 32 maliciously modified packages across more than 90 versions under @redhat-cloud-services were published after attackers compromised the RedHatInsights/javascript-clients Continuous Integration and Continuous Delivery (CI/CD) pipeline. The important detail is the path: the packages went out through the legitimate GitHub Actions OpenID Connect (OIDC) publishing workflow, so they carried authentic provenance signatures while embedding the campaign marker “Miasma: The Spreading Blight.” A provenance signature can confirm the release lane and still miss that the lane is compromised.

Installation triggered a node package manager (npm) preinstall hook that ran a 4.29 MB obfuscated dropper, downloaded the Bun JavaScript runtime, and launched a second-stage payload. Microsoft says the payload targeted GitHub, npm, Amazon Web Services (AWS), Azure, Google Cloud Platform (GCP), HashiCorp Vault, Kubernetes, Secure Shell (SSH) keys, command-line credentials, browser and wallet data. In CI/CD environments, it scraped GitHub Actions runner memory, attempted passwordless sudo, and republished poisoned packages with forged Supply-chain Levels for Software Artifacts (SLSA) provenance.

The incident-response boundary is wider than the package name. Teams that installed the affected packages, or ran builds that could resolve them, need to inspect runners and developer hosts, review lockfiles, and rotate credentials reachable from those environments. The packages have been removed and npm added protections around the @redhat-cloud-services namespace, according to Microsoft. The registry fix matters, and exposed secrets still have to be revoked.