Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Watchlists Beta Browse News Feed Stats About Contact

Miasma GitHub and npm supply-chain campaign

Campaign
First reported
Last updated
Happening score
H score 48
1 unique sources, 1 articles

Summary

Hide ▲

A Miasma supply-chain campaign has spread through GitHub and npm abuse, compromising 309 GitHub repositories and widening the risk of credential theft across developer projects. The operation used a compromised GitHub account, malicious commits, and npm trusted publishing to push backdoored packages. Attribution remains open, but the activity shows continuity over the past couple of months and a broad developer-ecosystem footprint.

Related Happenings

JINX-0164 cryptocurrency recruitment-lure campaign

Campaign
First: 28.05.2026 10:54 Last: 28.05.2026 10:54 Sources 1

About this happening: A **JINX-0164** campaign is targeting **cryptocurrency firms** and developers with **LinkedIn recruiter lures**, a fake meeting-and-fix workflow, and **macOS malware** to steal cr...

Open Happening

Malware-Slop malicious npm file-theft campaign

Campaign
First: 27.05.2026 18:44 Last: 27.05.2026 18:44 Sources 1

About this happening: **Malware-Slop** is distributing **mouse5212-super-formatter**, a malicious **npm** package that steals local files from **Anthropic's Claude** workspace directory **/mnt/user-dat...

Open Happening

TrapDoor cross-ecosystem supply-chain campaign

Campaign
First: 25.05.2026 08:59 Last: 25.05.2026 08:59 Sources 1

About this happening: The **TrapDoor** supply-chain campaign has expanded across **npm, PyPI, and Crates.io**, using **34+ malicious packages** to steal developer secrets and credentials. The operation...

Open Happening

Shai-Hulud worm clone activity on NPM

Malware Activity
First: 18.05.2026 12:45 Last: 18.05.2026 12:45 Sources 1

About this happening: The **Shai-Hulud** malware activity has continued to evolve across the **npm supply chain** and related developer ecosystems. It first infected **npm packages** in **September 202...

Open Happening

Mini Shai-Hulud supply-chain campaign targeting npm and PyPI

Campaign
First: 12.05.2026 17:45 Last: 12.05.2026 17:45 Sources 1

About this happening: The **Mini Shai-Hulud** **supply-chain campaign** linked to **TeamPCP** expanded into downstream victim reporting, including **Grafana Labs**. Grafana said its **GitHub environmen...

Latest development: 21.05.2026 11:00

Grafana Labs said its GitHub environment was accessed and its codebase downloaded, with additional internal operational information taken from GitHub repositories, after compromise linked to the Mini Shai-Hulud campaign and TanStack npm packages. Grafana said it first spotted malicious activity on May 11, discovered the unauthorized download on May 17, and after contact from the ransom gang rotated automation tokens, enabled enhanced monitoring, audited commits since the May 11 incident, and hardened its GitHub security posture, while saying there is no indication customer production systems or operations were compromised.

Open Happening

Timeline

  1. 02.06.2026 00:38 2 articles · 1h ago

    Aikido and OX Security discover Miasma in Red Hat npm packages

    Initial Disclosure

    Security firms Aikido and OX Security identified more than 30 npm packages in Red Hat's @redhat-cloud-services namespace as backdoored with Miasma, a new Shai-Hulud variant designed to steal developer credentials, cloud secrets, SSH keys, CI/CD tokens, and other sensitive data. Aikido reported 32 affected packages and 96 package versions, and Red Hat said it removed the affected packages from the npm registry, limited the compromise to internal development tooling, and had not identified impact to customer, partner, or Red Hat production environments.

    Show sources
    Open in new tab