SlowMist: Red Hat Cloud Services Package Targeted by npm Supply Chain Attack, Affecting Over 300 GitHub Repositories

June 2nd, according to SlowMist monitoring, an active npm supply chain attack targeting Red Hat cloud service packages has been discovered. The report indicates that over 31 packages are affected, with approximately 116,000 weekly downloads. More than 300 GitHub repositories contain stolen credentials. The attack techniques are highly similar to the previous Shai-Hulud npm attack campaign, including credential harvesting, malicious repository creation, and automated key leakage. Searching GitHub for "Miasma: The Spreading Blight" and sorting by recent updates still reveals newly emerging suspicious repositories, suggesting ongoing user compromise. Potential attacker behaviors include GitHub and npm token theft, AWS, GCP, and Azure credential theft, SSH key and Kubernetes secret collection, local environment and wallet data leakage, malicious GitHub repository creation, persistent residency, and destructive actions when tokens are revoked. SlowMist recommends immediately removing or downgrading affected versions, auditing CI/CD pipelines and dependency installations, rotating relevant keys and credentials, retaining logs, and rebuilding exposed development machines or runtime environments from clean images.