Security firm SlowMist has issued a critical alert regarding an active npm supply chain attack targeting cloud service packages associated with Red Hat. The breach has already impacted over 300 GitHub repositories, with malicious packages accumulating approximately 116,000 weekly downloads. This sophisticated campaign aims to harvest sensitive credentials, posing a significant risk to developers and organizations operating within the blockchain and cloud infrastructure sectors.
Technical Overview of the Miasma Campaign
The ongoing attack displays technical signatures highly similar to the previous Shai-Hulud campaign, utilizing automated scripts for credential exfiltration. Security researchers have identified a pattern involving the creation of malicious repositories under the name "Miasma: The Spreading Blight." According to the monitoring data, the attackers employ the following methods:
- Theft of GitHub and npm tokens to gain unauthorized access to private codebases.
- Extraction of cloud service credentials for AWS, Google Cloud Platform (GCP), and Azure.
- Harvesting of SSH keys and Kubernetes secrets to compromise server environments.
- Collection of local environment data and sensitive information from cryptocurrency wallets.
Impact on the Cryptocurrency Ecosystem
The targeting of Red Hat cloud service packages is particularly concerning for the decentralized finance (DeFi) and exchange sectors, which rely heavily on secure cloud infrastructure and automated deployment pipelines. By compromising npm packages—standard building blocks in JavaScript development—attackers can bypass traditional perimeter security. The discovery of stolen wallet data suggests that the threat actors are specifically looking for private keys or seed phrases stored in developer environments, which could lead to the drainage of digital assets across various blockchain networks.
Current Status and Mitigation
Despite the initial discovery, the campaign remains active. Searches for suspicious repositories on GitHub continue to reveal newly created malicious entities, indicating that the infection is still spreading. Developers are urged to audit their package-lock.json files and monitor for unauthorized outbound traffic to unknown domains.
Users are continuously being compromised as the attack techniques include the automated creation of malicious repositories and rapid key exfiltration, the report highlights, emphasizing the need for immediate security rotations of all cloud and repository tokens.
In conclusion, the Red Hat-focused npm attack represents a major escalation in supply chain threats. As the crypto industry continues to integrate with mainstream cloud services, the protection of developer tools and package managers becomes a primary defense against large-scale asset theft and infrastructure compromise. Individuals and organizations should immediately rotate their AWS/GCP keys and evaluate their dependency trees for any unrecognized software components.
Frequently Asked Questions
Quick answers to the most common questions about this topic.
For educational purposes only. Nothing here constitutes financial or investment advice. Crypto markets are highly volatile — always DYOR before making any decisions.
Fact-checked per our editorial policy. We maintain strict independence from advertisers. Spot an error? Let us know.