Find notable cyber news and cases, enriched with sources, timelines, and signals.

Miasma GitHub and npm supply-chain campaign

Campaign
First reported
Last updated
Happening score
H score 26
2 unique sources, 4 articles

Summary

Hide ▲

Miasma is a supply-chain campaign that began in Red Hat's @redhat-cloud-services npm namespace and later expanded across npm, PyPI, the Go ecosystem, and GitHub Actions workflows. Early reporting found 32 affected packages and 96 versions in Red Hat's ecosystem, while later analysis linked the campaign to 57 npm packages and more than 286 malicious versions using a 157-byte binding.gyp install trigger. A related PyPI wave, Hades, poisoned 19 packages with 37 malicious wheel artifacts and used a -setup.pth hook to run a Bun-based stealer. Researchers said the goal is to steal developer and CI/CD secrets, then reuse that access to spread through trusted publishing and repository workflows.

Related Happenings

AsyncAPI malicious npm package supply-chain malware

Malware Activity
H score21 First: 15.07.2026 18:37 Last: 15.07.2026 18:37 Sources 1

About this happening: Malicious AsyncAPI npm releases pushed a remote access trojan and info-stealing payload into packages with more than 2.25 million weekly downloads, putting downstr...

AsyncAPI repositories and npm publishing workflow hit by network compromise

Incident
H score27 First: 15.07.2026 12:16 Last: 15.07.2026 12:16 Sources 1

About this happening: The AsyncAPI npm publishing pipeline was compromised in a July 14 supply-chain attack that used the project’s normal GitHub Actions release path to publish trojani...

GitHub fake-repository infostealer campaign

Campaign
H score41 First: 14.07.2026 22:15 Last: 14.07.2026 22:15 Sources 1

About this happening: A GitHub impersonation campaign is distributing infostealer malware through 292 fake repositories, expanding the risk to users searching for trusted software downloads...

Jscrambler hit by network compromise

Incident
H score15 First: 13.07.2026 22:44 Last: 13.07.2026 22:44 Sources 1

About this happening: The Jscrambler npm package suffered an unauthorized publication of a malicious version that exposed developers to infostealer theft risk. The bad release stayed li...

OpenMandriva Linux project hit by cyberattack

Incident
H score32 First: 10.07.2026 01:14 Last: 10.07.2026 01:14 Sources 1

About this happening: The OpenMandriva Linux project is recovering from an attempted internal sabotage that deleted repositories and published an empty package that could have damaged user...

Timeline

  1. 05.06.2026 21:05 3 articles · 1mo ago

    Miasma worm spreads through 57 npm packages and 286 malicious versions

    Campaign Scope Update

    A new Miasma wave is linked to 57 compromised npm packages across more than 286 malicious versions, with malicious installs abusing a 157-byte binding.gyp file for code execution during npm install and then staging additional payloads that inject persistent backdoor files into project repositories and target AI-assisted IDE workflows.

    Show sources
  2. 02.06.2026 00:38 2 articles · 1mo ago

    Aikido and OX Security discover Miasma in Red Hat npm packages

    Initial Disclosure

    Security firms Aikido and OX Security identified more than 30 npm packages in Red Hat's @redhat-cloud-services namespace as backdoored with Miasma, a new Shai-Hulud variant designed to steal developer credentials, cloud secrets, SSH keys, CI/CD tokens, and other sensitive data. Aikido reported 32 affected packages and 96 package versions, and Red Hat said it removed the affected packages from the npm registry, limited the compromise to internal development tooling, and had not identified impact to customer, partner, or Red Hat production environments.

    Show sources