Miasma Supply Chain Attack Compromises Red Hat npm Packages with Credential-Stealing Worm

Key Points:

• A supply chain attack, codenamed Miasma, has compromised Red Hat npm packages, deploying a credential-stealing worm that targets developer environments.
• The attack impacts systems using affected npm packages, allowing attackers to harvest sensitive credentials and propagate the malware through CI/CD pipelines.
• Recommended actions include isolating affected hosts, removing malicious versions of the packages, rotating exposed credentials, auditing for suspicious activity, and enforcing strong access controls.

Technical Details: The Miasma attack utilizes an obfuscated preinstall hook in npm packages to collect sensitive information such as GitHub Actions secrets and cloud credentials. The malware employs encrypted exfiltration methods to transmit stolen data to attacker-controlled endpoints.

MITRE ATT&CK Techniques:

• T1078 - Valid Accounts (Defense Evasion)
• T1071.001 - Application Layer Protocol: Web Protocols (Command and Control)
• T1041 - Exfiltration Over Command and Control Channel (Exfiltration)
• T1203 - Exploit Public-Facing Application (Initial Access)

IOCs Mentioned:

• api.anthropic.com
• "Miasma: The Spreading Blight" (commit message)