Breaking · June 1, 2026

Attackers compromised a Red Hat employee's GitHub account and pushed malicious code into 32 official packages under the @redhat-cloud-services npm namespace — packages averaging 80,000 combined weekly downloads. The payload deployed the Miasma worm, a credential-stealing tool that targets cloud provider keys, GitHub tokens, Kubernetes tokens, and CI/CD secrets. The most alarming detail: attackers abused GitHub Actions OIDC to generate valid SLSA provenance attestations, making the backdoored packages appear as formally verified, legitimate releases. Red Hat confirmed no enterprise production systems were impacted — version pinning in enterprise deployments prevented the compromised versions from being installed.

This attack is significant not because of what it stole — but because of what it forged. SLSA (Supply-chain Levels for Software Artifacts) is the industry's answer to supply chain integrity. It's the verification framework enterprises rely on to trust open-source packages. The Miasma attackers didn't bypass it. They abused it — generating authentic-looking provenance for packages that were actively malicious.

If your CI/CD pipeline trusts SLSA attestations as the final word on package integrity, this attack broke your model.

32
Official @redhat-cloud-services
packages compromised
96
Affected package versions
across the 32 packages
80K
Combined weekly downloads
in the exposure window

How the Attack Worked

1
Attacker compromises a Red Hat employee's GitHub account
The entry point was a single compromised developer account with write access to RedHatInsights repositories. No zero-day required — account compromise is sufficient when developer accounts have direct push access to official package namespaces.
2
Malicious "orphan commits" pushed to 32 packages — 96 versions
The attacker pushed backdoored commits across 32 packages in the @redhat-cloud-services namespace. The payload hid inside npm preinstall hooks — multi-stage JavaScript that executes automatically when anyone runs npm install. No explicit invocation required.
3
SLSA provenance faked via GitHub Actions OIDC abuse
This is the critical escalation. Attackers abused GitHub Actions' OpenID Connect (OIDC) token exchange to trigger the standard SLSA provenance generation workflow. The result: valid, cryptographically-signed SLSA attestations for malicious package versions — the same attestations that security tooling uses to declare a package "verified." The backdoored packages passed integrity checks that honest packages pass.
4
Miasma worm executes on install — sweeps for every secret it can find
On npm install, the preinstall hook fires. The Miasma worm (a fork of the publicly leaked "Mini Shai-Hulud" malware) runs a multi-stage JavaScript payload designed for stealth and completeness. It searches the developer's environment and any connected CI/CD context for every high-value credential class it knows about.
5
Worm establishes persistence on developer machines
Beyond credential theft, Miasma includes persistence mechanisms targeting developer workstations. CI/CD systems that ran affected workflows produced build artifacts that cannot be trusted — any artifact built during the exposure window should be treated as potentially compromised.

What Miasma Was After

The worm performed a sweeping, systematic search for every credential class it could reach. This wasn't opportunistic — it was engineered for maximum yield from a developer or CI/CD environment:

Cloud Provider Keys
AWS, GCP, and Azure credentials — IAM keys, service account tokens, and metadata service endpoints.
GitHub Tokens & SSH Keys
Personal access tokens, deploy keys, and SSH private keys — enabling repository access and lateral movement within GitHub orgs.
Kubernetes Tokens
kubeconfig files, service account tokens, and in-cluster credentials — granting access to production cluster workloads.
HashiCorp Vault Tokens
Vault access tokens — which in many organizations are the master key to every other secret in the environment.
.env Files & Docker Credentials
Local environment files, Docker registry credentials, and container registry tokens used in build pipelines.
npm & PyPI Tokens
Package registry publish tokens — enabling the attacker to extend the supply chain compromise further downstream.
What stopped it

Red Hat confirmed no enterprise production systems were impacted. The reason: version pinning. Enterprise deployments that pin specific package versions in their lockfiles didn't automatically pull the compromised releases. This is the defense that worked — and it worked passively, without any security tooling detecting the attack in real time.

Why This Attack Is Different: SLSA Provenance Was Not a Defense

The standard enterprise response to supply chain risk is to verify provenance — trust only packages with valid SLSA attestations from known build systems. This attack breaks that assumption.

GitHub Actions OIDC is the mechanism that many SLSA Level 2 and Level 3 attestations rely on. When a GitHub Actions workflow runs, it can request an OIDC token that proves the workflow ran in a specific repository at a specific commit. SLSA tooling uses this to generate signed provenance records.

The Miasma attackers had write access to the repository. They triggered the standard CI/CD workflow from the compromised account. The OIDC token was legitimately issued — because from GitHub's perspective, the workflow ran exactly as configured, in the correct repository. The SLSA provenance was cryptographically valid. The package was malicious.

This is the class of attack where policy-as-attestation fails: the attestation proves the process ran correctly, not that the process produced safe output. Behavioral verification at runtime is the only control that catches this.

What Every Enterprise Must Do Right Now

1. Rotate all CI/CD secrets immediately if you ran affected packages
Treat every CI/CD secret, cloud token, GitHub PAT, SSH key, Kubernetes service account token, Vault token, npm publish token, and Docker credential as fully compromised if your pipeline installed any @redhat-cloud-services package version published June 1, 2026 between 1PM and 3PM UTC. Rotation is not optional.
2. Isolate affected developer machines and audit for persistence
Miasma installs persistence on developer workstations. Any machine that ran npm install with an affected package version should be isolated, forensically reviewed, and re-imaged before being returned to production use. The credential theft is the visible payload — the persistence mechanism is the longer-term risk.
3. Suspend CI/CD workflows and invalidate build artifacts from the exposure window
Any build artifact produced by a pipeline that ran an affected package version during June 1 1PM–3PM UTC is untrusted. Invalidate those artifacts, suspend the workflow runs, and rebuild from a clean dependency graph. Do not ship artifacts you cannot prove were built clean.
4. Audit your npm lockfiles for @redhat-cloud-services package versions
Check every package-lock.json and yarn.lock in your organization. If any file resolves to a @redhat-cloud-services package with a version published on June 1, update to the latest clean version and re-lock. The clean versions were revoked and re-published — latest is safe.
# Audit your package-lock.json for affected packages
grep "@redhat-cloud-services" package-lock.json | grep -E '"version": ".*"'

# Check for suspicious preinstall hooks in node_modules
find node_modules/@redhat-cloud-services -name "package.json" \
  -exec grep -l "preinstall" {} \;

# Rotate GitHub token immediately if affected
gh auth token | xargs -I{} gh api user/tokens/revoke -f access_token={}
# Then re-authenticate: gh auth login

# Scan for Miasma IOCs on developer machines (Aikido Security IOC list)
find ~ -name ".miasma*" -o -name ".shai*" 2>/dev/null

The Five Controls That Catch This Before It Ships

01
RuntimeAI → Supply Chain Audit + Behavioral Verification
Verify behavior at install time — not just provenance
SLSA provenance proves a package was built by a known process. It does not prove the process produced safe output. RuntimeAI's supply chain audit layer analyzes npm preinstall and postinstall hook behavior at install time — flagging scripts that perform network calls, filesystem sweeps, or environment variable access that the package's stated purpose does not justify. Miasma's preinstall hook would have been flagged before the first credential was read.
02
RuntimeAI → KYA Identity + Non-Human Identity Governance
Scope CI/CD secrets to the minimum — and rotate them automatically
Miasma's effectiveness depends on finding long-lived, broadly scoped credentials in the environment. RuntimeAI's KYA (Know Your Agent) extends non-human identity governance to CI/CD identities: every pipeline gets a scoped, short-lived credential issued at runtime. There are no long-lived AWS access keys sitting in .env files for Miasma to find. Automatic rotation means any credential captured is expired before the attacker can use it.
03
RuntimeAI → Audit Black Box + CI/CD Telemetry
Every build step logged — anomalous network calls surface immediately
The Miasma payload makes network calls to exfiltrate credentials. RuntimeAI's Audit Black Box extends into CI/CD pipeline telemetry: every build step's network activity, process spawns, and file accesses are logged against the expected build graph. A preinstall hook making an outbound call to an unexpected external host surfaces as an anomaly within seconds — well before the build artifact is produced or deployed.
04
RuntimeAI → Flow Enforcer + Dependency Policy
Block unapproved package versions from entering production pipelines
RuntimeAI's Flow Enforcer applies policy at the dependency resolution step: every package version that enters a production build must be on an approved list or pass a behavioral gate. New versions of any package — even from trusted namespaces like @redhat-cloud-services — require explicit approval before they can be installed in production pipelines. The compromised June 1 versions would have been blocked at the gate, not discovered after installation.
05
RuntimeAI → Developer Identity + Access Scoping
Developer accounts with package publish access need hardware-bound MFA and scoped tokens
The entire attack chain started with one compromised developer account. RuntimeAI's identity governance enforces hardware-bound MFA for any developer account with package publish, repository admin, or CI/CD secret access. Publish tokens are scoped to specific package namespaces with expiry, not lifetime credentials. A compromised password alone — without the hardware key — cannot push to production namespaces.

Version Pinning Is Good. Runtime Behavioral Monitoring Is Better.

Red Hat's enterprises were saved by version pinning — a passive control that happened to work because no one had updated their lockfiles to the compromised release window. That's a narrow save. The next campaign may target a package that enterprise pipelines do auto-update, or may use a different timing window.

The defense posture that catches this reliably is not provenance verification alone — it's runtime behavioral monitoring at the install boundary combined with scoped, short-lived CI/CD credentials that expire before exfiltrated secrets can be used.

Protect your supply chain with RuntimeAI.

RuntimeAI's platform extends Zero Trust governance into the CI/CD layer — behavioral verification at install time, scoped short-lived CI/CD identities, anomaly detection on build pipeline network activity, and an audit trail that covers every dependency resolution, build step, and artifact production event.

Behavioral Install Audit
npm preinstall hooks analyzed for network calls, env access, and filesystem sweeps before execution completes.
KYA CI/CD Identity
Short-lived, scoped credentials for every pipeline. No long-lived AWS keys or GitHub PATs in environment files.
Dependency Policy Gates
New package versions require approval before entering production builds — even from trusted namespaces.
Build Pipeline Audit Trail
Every build step logged with network activity, process spawns, and artifact provenance. Tamper-evident chain.
Anomaly Detection
Unexpected outbound calls from build steps surface as alerts in real time — before artifacts are deployed.
Hardware-Bound Developer MFA
Publish access requires hardware key. Compromised password alone cannot push to production namespaces.
EU AI Act Supply Chain Obligations

EU AI Act Article 13 requires providers of high-risk AI systems to document their supply chain — including third-party components. If your AI application depends on npm packages and one of those packages was Miasma-compromised during development, that's a supply chain integrity event you are now obligated to disclose and document. SLSA attestation alone does not satisfy this obligation when the provenance was generated from a compromised build process.

The next supply chain attack won't wait for your lockfile to protect you.

Behavioral verification at install time, scoped CI/CD identities, and real-time build pipeline monitoring — deployed in under an hour with RuntimeAI.

Start Your Trial Supply Chain Docs