A critical supply-chain attack has compromised more than 30 npm packages within Red Hat's '@redhat-cloud-services' namespace, distributing a new variant of the Shai-Hulud credential-stealing malware, dubbed "Miasma." This attack specifically targets developer credentials, potentially providing attackers with access to source code repositories, CI/CD pipelines, and cloud infrastructure. Given the privileged access that developer credentials typically provide, this breach represents a serious risk of lateral movement and persistent compromise within development environments. Immediate action is required to identify affected installations, detect credential exfiltration attempts, and remediate compromised systems.
Technical Analysis
Affected Products and Scope
- Affected Platform: npm packages (JavaScript/Node.js ecosystem)
- Affected Namespace: @redhat-cloud-services
- Number of Compromised Packages: 30+ packages
- Threat Variant: Miasma (evolution of Shai-Hulud credential-stealing malware)
- Primary Impact: Developer credential theft
Attack Chain
The attackers have successfully published compromised versions of legitimate packages within Red Hat's npm namespace. When developers install or update these packages, the malicious Miasma code executes within the build or runtime environment:
- Initial Compromise: Malicious packages published to npm registry under Red Hat's namespace
- Execution: Miasma code executes during npm install or application runtime
- Credential Harvesting: The malware locates and exfiltrates:
- npm tokens and credentials
- Git configuration and credentials
- SSH keys
- AWS/GCP/Azure credentials
- Environment variables containing sensitive tokens
- Exfiltration: Stolen credentials are transmitted to attacker-controlled infrastructure
Exploitation Status
- Active Exploitation: Confirmed in-the-wild exploitation
- Availability: Packages have been removed from the registry, but cached versions may exist
- Persistence: Compromised credentials may provide attackers with ongoing access until rotated
Detection & Response
SIGMA Rules
---
title: Suspicious npm Package Installation from Compromised Red Hat Namespace
id: 45f2c8a9-1d3e-4f7b-b5c6-9d8e7f6a5b4c
status: experimental
description: Detects installation of packages from the compromised @redhat-cloud-services namespace during the attack timeframe
references:
- https://www.bleepingcomputer.com/news/security/red-hat-npm-packages-compromised-to-steal-developer-credentials/
author: Security Arsenal
date: 2025/04/16
tags:
- attack.supply_chain
- attack.t1195.002
logsource:
category: process_creation
product: linux
detection:
selection:
Image|endswith: '/npm'
CommandLine|contains: '@redhat-cloud-services'
timeframe: 30d
falsepositives:
- Legitimate installation of Red Hat cloud services packages by authorized developers
level: high
---
title: Miasma Malware - Suspicious Node Process with Network Activity
id: 7a3e5d9c-2b1f-4a6c-8d9e-1f2a3b4c5d6e
status: experimental
description: Detects Node.js processes attempting network connections to non-standard ports, potentially indicating Miasma malware exfiltration
references:
- https://www.bleepingcomputer.com/news/security/red-hat-npm-packages-compromised-to-steal-developer-credentials/
author: Security Arsenal
date: 2025/04/16
tags:
- attack.exfiltration
- attack.t1041
logsource:
category: network_connection
product: linux
detection:
selection:
Image|contains: '/node'
DestinationPort:
- 8080
- 8443
- 3000
- 8888
condition: selection
falsepositives:
- Legitimate Node.js applications using non-standard ports
level: medium
---
title: Credential File Access by Node Process
id: 9c8d7e6a-5f4e-3b2c-1d0a-9e8f7a6b5c4d
status: experimental
description: Detects Node.js processes accessing credential files potentially related to Miasma malware
references:
- https://www.bleepingcomputer.com/news/security/red-hat-npm-packages-compromised-to-steal-developer-credentials/
author: Security Arsenal
date: 2025/04/16
tags:
- attack.credential_access
- attack.t1552.001
logsource:
category: file_access
product: linux
detection:
selection:
Image|contains: '/node'
TargetFilename|contains:
- '/.npm/_auth'
- '/.git-credentials'
- '/.aws/credentials'
- '/.azure/credentials'
- '/.config/gcloud/credentials.db'
condition: selection
falsepositives:
- Legitimate build tools accessing these configuration files
level: high
KQL (Microsoft Sentinel)
// Detect installations of potentially compromised Red Hat npm packages
let Timeframe = 30d;
DeviceProcessEvents
| where Timestamp > ago(Timeframe)
| where ProcessVersionInfoOriginalFileName =~ "npm" or ProcessVersionInfoOriginalFileName =~ "node"
| where ProcessCommandLine has "@redhat-cloud-services"
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine
| order by Timestamp desc
;
// Detect suspicious Node.js network connections that may indicate data exfiltration
let Timeframe = 30d;
DeviceNetworkEvents
| where Timestamp > ago(Timeframe)
| where InitiatingProcessFileName has "node"
| where RemotePort in (8080, 8443, 3000, 8888, 5000)
| where ActionType == "ConnectionSuccess"
| project Timestamp, DeviceName, AccountName, InitiatingProcessCommandLine, RemoteIP, RemotePort, RemoteUrl
| order by Timestamp desc
;
// Search for credential file access by Node processes
let Timeframe = 30d;
DeviceFileEvents
| where Timestamp > ago(Timeframe)
| where InitiatingProcessFileName has "node"
| where TargetFilePath has_any (".npm/_auth", ".git-credentials", ".aws/credentials", ".azure/credentials", ".config/gcloud/credentials")
| project Timestamp, DeviceName, AccountName, InitiatingProcessCommandLine, TargetFilePath, ActionType
| order by Timestamp desc
Velociraptor VQL
-- Hunt for processes accessing credential files (potential Miasma activity)
SELECT Pid, Name, CommandLine, Username, Ctime
FROM pslist()
WHERE Name =~ 'node'
-- Check for recent npm package installations of compromised namespace
SELECT FullPath, Size, Mtime, Atime, Mode
FROM glob(globs='*/node_modules/@redhat-cloud-services/*')
WHERE Mtime > now() - 30d
-- Identify network connections from Node processes
SELECT Pid, Family, RemoteAddress, RemotePort, State
FROM netstat()
WHERE Pid IN (SELECT Pid FROM pslist() WHERE Name =~ 'node')
AND RemotePort IN (8080, 8443, 3000, 8888, 5000)
-- Scan for npm credential files
SELECT FullPath, Size, Mtime, Atime, Mode
FROM glob(globs=['~/.npm/_auth*', '~/.npmrc'])
WHERE Mtime > now() - 7d
Remediation Script (Bash)
#!/bin/bash
# Remediation script for Red Hat npm packages compromise
# This script helps identify and remediate compromised packages
# Set strict error handling
set -euo pipefail
# Create a log file
LOGFILE="npm_compromise_remediation_$(date +%Y%m%d_%H%M%S).log"
exec > >(tee -a "$LOGFILE") 2>&1
echo "[$(date)] Starting npm compromise remediation"
# Define the compromised namespace
COMPROMISED_NAMESPACE="@redhat-cloud-services"
# Step 1: Identify installed packages from the compromised namespace
echo "[$(date)] Step 1: Identifying installed packages from $COMPROMISED_NAMESPACE"
find . -name "package." -type f -exec grep -l "$COMPROMISED_NAMESPACE" {} \; > /tmp/affected_package_s.txt
if [ -s /tmp/affected_package_s.txt ]; then
echo "[$(date)] Found $(wc -l < /tmp/affected_package_s.txt) package. files referencing $COMPROMISED_NAMESPACE"
cat /tmp/affected_package_s.txt
else
echo "[$(date)] No packages from $COMPROMISED_NAMESPACE found in package. files"
fi
# Step 2: List all installed packages from the compromised namespace
echo "[$(date)] Step 2: Listing installed packages from $COMPROMISED_NAMESPACE"
npm list "$COMPROMISED_NAMESPACE" --all --depth=0 2>/dev/null || echo "[$(date)] No global packages found or npm not installed"
# Step 3: Scan for all node_modules containing compromised packages
echo "[$(date)] Step 3: Scanning node_modules for $COMPROMISED_NAMESPACE packages"
find . -type d -path "*/node_modules/$COMPROMISED_NAMESPACE/*" 2>/dev/null | head -20 > /tmp/compromised_modules.txt
if [ -s /tmp/compromised_modules.txt ]; then
echo "[$(date)] Found packages from $COMPROMISED_NAMESPACE:"
cat /tmp/compromised_modules.txt
echo "[$(date)] Removing compromised packages..."
while IFS= read -r dir; do
package=$(basename "$dir")
project_dir=$(echo "$dir" | sed -E 's|/node_modules/@redhat-cloud-services/.*||')
echo "[$(date)] Removing $COMPROMISED_NAMESPACE/$package from $project_dir"
cd "$project_dir" && npm uninstall "$COMPROMISED_NAMESPACE/$package" || echo "[$(date)] Failed to uninstall $package"
done < /tmp/compromised_modules.txt
else
echo "[$(date)] No compromised packages found in node_modules"
fi
# Step 4: Rotate npm tokens and credentials
echo "[$(date)] Step 4: Checking for npm tokens and credentials"
NPM_CONFIG="~/.npmrc"
NPM_TOKEN_FILE="~/.npm/_authToken"
if [ -f "$NPM_CONFIG" ] && grep -q "_auth" "$NPM_CONFIG"; then
echo "[$(date)] WARNING: npm credentials found in $NPM_CONFIG. Review and rotate if necessary."
grep "_auth" "$NPM_CONFIG" | sed 's/.*/REDACTED/'
fi
if [ -f "$NPM_TOKEN_FILE" ]; then
echo "[$(date)] WARNING: npm token file found at $NPM_TOKEN_FILE. Rotate your npm token immediately."
fi
# Step 5: Check for common credential files that may have been accessed
echo "[$(date)] Step 5: Checking for recently modified credential files"
CREDS="$HOME/.git-credentials $HOME/.aws/credentials $HOME/.azure/credentials $HOME/.config/gcloud/credentials.db"
for cred in $CREDS; do
if [ -f "$cred" ]; then
modified=$(stat -c %y "$cred" 2>/dev/null || stat -f "%Sm" -t "%Y-%m-%d %H:%M:%S" "$cred" 2>/dev/null)
echo "[$(date)] Found credential file: $cred (Last modified: $modified)"
echo "[$(date)] Recommend reviewing and rotating credentials if accessed during the compromise window."
fi
done
# Step 6: Reinstall clean packages
echo "[$(date)] Step 6: Reinstalling clean packages"
if [ -s /tmp/affected_package_s.txt ]; then
while IFS= read -r pkg_; do
project_dir=$(dirname "$pkg_")
echo "[$(date)] Reinstalling packages for $project_dir"
cd "$project_dir"
rm -rf node_modules package-lock.
npm install
done < /tmp/affected_package_s.txt
fi
# Step 7: Final summary
echo "[$(date)] Remediation complete."
echo "[$(date)] IMPORTANT NEXT STEPS:"
echo "[$(date)] 1. Rotate all npm tokens and credentials used in the past 30 days"
echo "[$(date)] 2. Rotate git credentials and SSH keys"
echo "[$(date)] 3. Rotate cloud credentials (AWS, GCP, Azure) if used in development"
echo "[$(date)] 4. Review all code changes committed during the compromise period"
echo "[$(date)] 5. Check CI/CD logs for unauthorized access or deployments"
echo "[$(date)] Log file saved to: $LOGFILE"
Remediation
Immediate Actions
-
Identify Affected Systems: Run the provided remediation script on all development systems and CI/CD pipelines to identify installations of compromised packages.
-
Remove Compromised Packages: Delete all @redhat-cloud-services packages installed during the compromise window: bash
npm uninstall @redhat-cloud-services/<package-name>
rm -rf node_modules package-lock.
npm install
-
Rotate Credentials Immediately: Rotate all potentially compromised credentials:
- npm tokens
- Git credentials
- SSH keys used for code access
- Cloud provider credentials (AWS, GCP, Azure)
- CI/CD pipeline secrets
-
Review Official Advisory: Monitor Red Hat's official advisory for the latest information on specific package versions and mitigations: https://access.redhat.com/security/
Verification and Validation
- Clean Installation: After removing compromised packages, verify clean installation: bash
npm list @redhat-cloud-services
Ensure only officially released versions are installed.
- Audit Package Integrity: Use tools like npm audit to check for vulnerabilities: bash
npm audit
npm audit fix
- Review CI/CD Pipelines: Inspect CI/CD logs for any suspicious activity during the compromise window:
- Unauthorized builds
- Modified build scripts
- Exfiltration attempts
Long-Term Defenses
-
Implement Software Composition Analysis (SCA): Integrate SCA tools into your CI/CD pipeline to detect compromised dependencies automatically.
-
Pin Package Versions: Use package-lock. or similar mechanisms to ensure exact versions are installed across environments.
-
Supply Chain Security: Implement provenance verification (e.g., npm package signatures) and adopt practices outlined in the Supply-chain Levels for Software Artifacts (SLSA) framework.
-
Developer Credential Hygiene: Implement least privilege access for development credentials and rotate them regularly. Use credential stores rather than plaintext files.
-
Network Monitoring: Implement monitoring for suspicious outbound connections from development systems, particularly to non-standard ports.
-
Dependency Updates: Establish a process for regular, controlled dependency updates with proper security review before integration.
This compromise highlights the critical importance of supply chain security in modern development environments. By implementing these detection mechanisms and remediation steps, organizations can reduce their risk exposure and recover more quickly from this and similar attacks.
Related Resources
Security Arsenal Incident Response Services AlertMonitor Platform Book a SOC Assessment incident-response Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.