惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
L
LINUX DO - 最新话题
Recorded Future
Recorded Future
月光博客
月光博客
博客园 - 【当耐特】
博客园 - 叶小钗
宝玉的分享
宝玉的分享
量子位
雷峰网
雷峰网
博客园 - 三生石上(FineUI控件)
The Cloudflare Blog
Vercel News
Vercel News
L
LangChain Blog
B
Blog
Y
Y Combinator Blog
爱范儿
爱范儿
GbyAI
GbyAI
S
Security @ Cisco Blogs
T
The Blog of Author Tim Ferriss
A
About on SuperTechFans
博客园 - Franky
P
Palo Alto Networks Blog
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
云风的 BLOG
云风的 BLOG
C
Cisco Blogs
Scott Helme
Scott Helme
I
Intezer
T
The Exploit Database - CXSecurity.com
MyScale Blog
MyScale Blog
T
Tor Project blog
D
Darknet – Hacking Tools, Hacker News & Cyber Security
T
Troy Hunt's Blog
N
News and Events Feed by Topic
大猫的无限游戏
大猫的无限游戏
F
Fortinet All Blogs
www.infosecurity-magazine.com
www.infosecurity-magazine.com
Application and Cybersecurity Blog
Application and Cybersecurity Blog
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
S
Security Affairs
Cyberwarzone
Cyberwarzone
PCI Perspectives
PCI Perspectives
小众软件
小众软件
D
DataBreaches.Net
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
Know Your Adversary
Know Your Adversary
Forbes - Security
Forbes - Security
S
Securelist
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
C
Cyber Attacks, Cyber Crime and Cyber Security
The Last Watchdog
The Last Watchdog

2024 Sonatype Blog

Request for Comments: CARE and Maven Central Q2 2026 Open Source Malware Index AI Is Forcing a New Open Source Security Model Vulnerability Prioritization Is Missing the AI-Era Point The Hidden National Security Threat Inside AI-Driven Software Miasma Returns: Leo Platform Compromise in npm The Rise of Collective Defense for Open Source Signal Over Noise: Reachability Analysis Is the Reality Check SCA Has Been Missing Software Security Has to Start at Assembly easy-day-js Targets Mastra, Dependency Attacks Grow Open Publishing, Commercial Scale Software Dependency Cooldowns Are a Symptom, Not a Strategy Atomic Arch npm Campaign Adds Malicious Dependency From SBOMs to AI BOMs: Why SPDX 3.0 Matters Mythos Found 10,000 Vulnerabilities. The Bigger Challenge Is Fixing Them New Shai-Hulud Miasma Wave Hits Hundreds of npm Packages Lazarus Group's Latest: Brandjacking Campaign on npm 5 Steps to Turn Your RMF Backlog Into a Continuous ATO: The CSRMC Migration Playbook The AI Race Is Becoming a Remediation Race Inside a 176-Package npm Campaign Built to Beat Your Internal Dependencies AI Is Making Software Autonomous, and Governance Must Follow Your Outdated Repository Still Works, But It May Not Be Safe Hijacked npm Package Attempts to Deliver PolinRider-Linked RAT AppSec Tools Explained: SAST vs SCA vs DAST | Sonatype Managing Open Source Software Risks With the HeroDevs EOL Dashboard Shai-Hulud is Back: Maintainer Accounts Are Still the Soft Target Building Trusted AI Development With Kiro and Sonatype Guide How to Build a Software Supply Chain Security Playbook The Evolution of Open Source Malware: From Volume to Trust Abuse The Mythos AI Vulnerability Storm: What to Do Next Malicious PyTorch Lightning Packages Found on PyPI Why Developer Experience Is the Foundation of DevSecOps Success Open is Not Costless: Reclaiming Sustainable Infrastructure Q1 Updates in Nexus Repository: More Formats, Stronger Operations, and a Better Day-to-Day Experience Self-Propagating npm Malware Turns Trusted Packages Into Attack Paths The Time Is Now to Prepare for CRA Enforcement Sonatype Innovate: Real Peer Connections, Real Product Influence, Real Recognition Mythos and the AI Vulnerability Storm: Exploring the Control Point When AI Writes Code, Who Governs the Dependencies? Why Software Supply Chain Security Requires a New Playbook Q1 2026 Open Source Malware Index: Adaptive Attacks Exploit Trust Modernizing Nexus Repository: Moving Beyond OrientDB AI, DevSecOps, and the Future of Application Security: The Gartner® Report How Sonatype's Container Scanning Protects You From Zero-Days Axios Compromise on npm Introduces Hidden Malicious Package Is Your Repository Ready for What's Next? Autonomous Development and AI: Speed vs. Security Grounded Intelligence Ensures Safe AI Software Development Compromised litellm PyPI Package Delivers Multi-Stage Credential Stealer
Red Hat Cloud Services npm Packages Hijacked
Sonatype Security Research Team · 2026-06-02 · via 2024 Sonatype Blog

A new wave of malicious npm activity has been reported involving multiple packages in the legitimate @redhat-cloud-services namespace.

Public analysis from security researchers indicates that affected package versions contained install-time malware executed through npm lifecycle scripts, exposing developer machines and CI/CD environments to credential theft, persistence, and possible downstream package propagation.

Attackers included GitHub dead-drop repositories in the secondary payload containing the phrase "Miasma: The Spreading Blight." Sonatype is referencing Miasma in that context, as a campaign marker observed in reported payload behavior, not as independent attribution to a specific threat actor.

Some industry researchers connected this activity to TeamPCP and the broader Shai-Hulud malware campaigns. However, definitive attribution remains unclear.

The activity appears to use credential-theft techniques similar to those seen in recent npm supply chain campaigns, which may also reflect copycat behavior as attackers adopt methods that have already proven effective.

Compromised Packages in a Trusted Namespace

Several npm packages under the @redhat-cloud-services scope were compromised and published with embedded malicious code.

These were not typosquatted or lookalike packages, but rather legitimate packages in a trusted namespace, which makes the incident especially relevant for organizations that rely on package reputation or historical usage as indicators of safety.

Affected packages include, but are not limited to:

  • @redhat-cloud-services/types

  • @redhat-cloud-services/frontend-components

  • @redhat-cloud-services/rbac-client

  • @redhat-cloud-services/javascript-clients-shared

  • @redhat-cloud-services/host-inventory-client

How the 'Miasma' Campaign Behaves

Sonatype Research observed that the affected Red Hat packages execute a heavily obfuscated script upon installation which attempts to download and run a second-stage payload from the author's server. Because this behavior is triggered during package installation, the payload can execute before application code imports the package or developers have a normal reason to inspect runtime behavior.

The second-stage payload appears to act as a Bun downloader with several malicious objectives:

  • It can gather and exfiltrate environment variables, AWS credentials, and developer secrets.

  • It also attempts to replicate by using discovered npm tokens to republish modified versions of packages the token can access, including use of npm's bypass_2fa parameter to bypass two-factor authentication protections.

  • In addition, the payload can modify Claude Code and VS Code settings to inject malicious code that runs at the beginning of each session.

Simply removing the package may not be enough. If an affected version was installed, the host should be considered potentially compromised, and teams should investigate whether the second-stage payload downloaded additional malicious software or established persistence.

Why The Red Hat Compromise Matters

The Red Hat compromise and subsequent npm supply chain attack reinforces a notable pattern: attackers are increasingly targeting trusted packages, maintainers, automation tokens, and publishing workflows.

A package can appear safe because, increasingly often, a malicious package was safe yesterday. It may have a legitimate namespace, real maintainers, meaningful download history, and valid package metadata.

But if an attacker compromises the publishing path, a newly released version can become malicious while retaining the trust signals developers and automated pipelines already accept.

This should be treated as more than a dependency cleanup issue. For organizations that installed affected versions, it may be a credential exposure and CI/CD security incident.

What to Do if You Installed Malicious Versions

Organizations that may have downloaded affected @redhat-cloud-services package versions should begin by identifying exposure across source repositories, lockfiles, CI/CD logs, package caches, developer machines, and container images.

Recommended first steps include:

  1. Search package.json, lockfiles, SBOMs, package caches, and build images for affected @redhat-cloud-services packages and versions.

  2. Review CI/CD logs to determine if affected packages were installed with lifecycle scripts enabled.

  3. Identify developer workstations or runners where npm install, npm ci, or equivalent commands may have executed the malicious versions.

  4. Treat exposed environments as potentially compromised, especially if credentials were available during installation.

  5. Isolate affected systems before rotating credentials where compromise is suspected.

  6. Review GitHub, npm, cloud, and CI/CD audit logs for unexpected token use, repository changes, workflow edits, or package publishes.

  7. Rotate exposed credentials from a clean environment after containment.

  8. Rebuild CI runners, containers, or developer systems where compromise cannot be ruled out.

  9. Assume the blast radius extends beyond the originally affected project and investigate other accessible projects and repositories for signs of compromise or propagation.

Teams should also look for suspicious install-time behavior, including unexpected preinstall scripts, unusually large or obfuscated JavaScript files, Bun execution during npm installation, unexpected outbound traffic during dependency installation, and suspicious changes to GitHub workflows or developer tool configuration files.

What Sonatype Customers Should Do

Sonatype customers should use their existing software composition analysis, repository management, and policy controls to identify and manage exposure to the affected package versions.

Recommended actions include:

  • Search for affected @redhat-cloud-services packages and versions across applications, builds, repositories, and SBOMs.

  • Review policy violations and malicious package intelligence as Sonatype data is updated.

  • Block or quarantine confirmed malicious versions.

  • Review dependency update automation to ensure compromised versions are not introduced through automated pull requests.

  • Use repository controls to reduce direct dependency retrieval from the public npm registry where appropriate.

  • Coordinate with security, DevOps, and application teams to determine whether any CI/CD credentials or developer machines were exposed.

  • Expand the investigation to your other repositories for signs of propagation, including unexpected commits, workflow changes, or package releases.

  • Leverage Sonatype Guide to help developers and AI coding assistants evaluate component health, security, and version risk before introducing or updating dependencies.

Trust Should Be Continuously Re-Evaluated

The reported @redhat-cloud-services compromise, with the descriptor "Miasma: The Spreading Blight," is another reminder that modern open source attacks are not limited to obscure packages or obvious social engineering.

For security teams, open source governance must move beyond static allowlists and one-time dependency approval. The question is not only if a package was safe when it was first adopted, but whether each new version, install-time behavior, and build environment interaction remains safe now.

Defending against this class of attack requires treating every new package version as a new risk decision, even when the package itself is familiar.

Tags

Red Hat npm security research supply chain attacks malicious code npm Malware Sonatype Guide