Miasma GitHub and npm supply-chain campaign
Campaign
Summary
Hide ▲
Show ▼
Miasma is a supply-chain campaign that began in Red Hat's @redhat-cloud-services npm namespace and later expanded across npm, PyPI, the Go ecosystem, and GitHub Actions workflows. Early reporting found 32 affected packages and 96 versions in Red Hat's ecosystem, while later analysis linked the campaign to 57 npm packages and more than 286 malicious versions using a 157-byte binding.gyp install trigger. A related PyPI wave, Hades, poisoned 19 packages with 37 malicious wheel artifacts and used a -setup.pth hook to run a Bun-based stealer. Researchers said the goal is to steal developer and CI/CD secrets, then reuse that access to spread through trusted publishing and repository workflows.
Related Happenings
AsyncAPI malicious npm package supply-chain malware
Malware Activity
H score21
First: 15.07.2026 18:37
Last: 15.07.2026 18:37
Sources 1
About this happening:
Malicious AsyncAPI npm releases pushed a remote access trojan and info-stealing payload into packages with more than 2.25 million weekly downloads, putting downstr...
AsyncAPI malicious npm package supply-chain malware
Malware ActivityAbout this happening: Malicious AsyncAPI npm releases pushed a remote access trojan and info-stealing payload into packages with more than 2.25 million weekly downloads, putting downstr...
AsyncAPI repositories and npm publishing workflow hit by network compromise
Incident
H score27
First: 15.07.2026 12:16
Last: 15.07.2026 12:16
Sources 1
About this happening:
The AsyncAPI npm publishing pipeline was compromised in a July 14 supply-chain attack that used the project’s normal GitHub Actions release path to publish trojani...
AsyncAPI repositories and npm publishing workflow hit by network compromise
IncidentAbout this happening: The AsyncAPI npm publishing pipeline was compromised in a July 14 supply-chain attack that used the project’s normal GitHub Actions release path to publish trojani...
GitHub fake-repository infostealer campaign
Campaign
H score41
First: 14.07.2026 22:15
Last: 14.07.2026 22:15
Sources 1
About this happening:
A GitHub impersonation campaign is distributing infostealer malware through 292 fake repositories, expanding the risk to users searching for trusted software downloads...
GitHub fake-repository infostealer campaign
CampaignAbout this happening: A GitHub impersonation campaign is distributing infostealer malware through 292 fake repositories, expanding the risk to users searching for trusted software downloads...
Jscrambler hit by network compromise
Incident
H score15
First: 13.07.2026 22:44
Last: 13.07.2026 22:44
Sources 1
About this happening:
The Jscrambler npm package suffered an unauthorized publication of a malicious version that exposed developers to infostealer theft risk. The bad release stayed li...
Jscrambler hit by network compromise
IncidentAbout this happening: The Jscrambler npm package suffered an unauthorized publication of a malicious version that exposed developers to infostealer theft risk. The bad release stayed li...
OpenMandriva Linux project hit by cyberattack
Incident
H score32
First: 10.07.2026 01:14
Last: 10.07.2026 01:14
Sources 1
About this happening:
The OpenMandriva Linux project is recovering from an attempted internal sabotage that deleted repositories and published an empty package that could have damaged user...
OpenMandriva Linux project hit by cyberattack
IncidentAbout this happening: The OpenMandriva Linux project is recovering from an attempted internal sabotage that deleted repositories and published an empty package that could have damaged user...
Timeline
-
05.06.2026 21:05 3 articles · 1mo ago
Miasma worm spreads through 57 npm packages and 286 malicious versions
Campaign Scope UpdateA new Miasma wave is linked to 57 compromised npm packages across more than 286 malicious versions, with malicious installs abusing a 157-byte binding.gyp file for code execution during npm install and then staging additional payloads that inject persistent backdoor files into project repositories and target AI-assisted IDE workflows.
Show sources
- IronWorm and New Miasma Worm Variant Hit npm in Supply Chain Attacks — thehackernews.com — 05.06.2026 21:05
- Hades PyPI Attack: 19 Packages Poisoned to Auto-Run Bun Credential Stealer — thehackernews.com — 09.06.2026 12:13
- Miasma Malware Targets npm Packages and GitHub Actions in Supply Chain Attack — thehackernews.com — 26.06.2026 14:05
-
02.06.2026 00:38 2 articles · 1mo ago
Aikido and OX Security discover Miasma in Red Hat npm packages
Initial DisclosureSecurity firms Aikido and OX Security identified more than 30 npm packages in Red Hat's @redhat-cloud-services namespace as backdoored with Miasma, a new Shai-Hulud variant designed to steal developer credentials, cloud secrets, SSH keys, CI/CD tokens, and other sensitive data. Aikido reported 32 affected packages and 96 package versions, and Red Hat said it removed the affected packages from the npm registry, limited the compromise to internal development tooling, and had not identified impact to customer, partner, or Red Hat production environments.
Show sources
- Red Hat npm packages compromised to steal developer credentials — www.bleepingcomputer.com — 02.06.2026 00:38
- Red Hat npm packages compromised to steal developer credentials — www.bleepingcomputer.com — 02.06.2026 00:38