Skip to content
supplychainattack.orgSupply chain attack incident catalog

Miasma supply chain incidents

Self-replicating npm worm campaign first reported in 2026 that hides its payload in binding.gyp native-module build files (executed during npm install), propagating across packages and maintainer accounts and later pivoting to GitHub repository compromises.

Also tracked as: Miasma worm, Miasma campaign

21 confirmed incidents publicly associated with this group. Attribution reflects what the cited sources state; it is recorded for filtering, not asserted by this site.

  1. containedcritical

    Miasma Worm Hits Microsoft Again: Azure Functions Action and 72 Other Repositories Disabled After Supply Chain Attack Targeting AI Coding Agents

    On June 5, 2026, the Miasma worm campaign compromised Microsoft's Azure GitHub organizations by pushing a malicious commit to the Azure/durabletask repository using a compromised contributor account. GitHub disabled 73 repositories across four Microsoft organizations after configuration files were planted to harvest credentials when developers opened repositories in AI coding agents like Claude Code, Gemini CLI, Cursor, or VS Code.

    MiasmaAI agents & skillsMalicious commitAccount takeover
  2. activecritical

    Miasma npm Supply Chain Attack: Self-Spreading Worm via Phantom Gyp

    A self-replicating worm named Miasma is spreading across the npm registry by injecting malicious code into binding.gyp files, which execute during npm install without requiring package.json script modifications. The attack has already compromised dozens of packages across multiple maintainer accounts and evades conventional security detection.

    MiasmanpmCompromised packageMalicious commit
  3. containedcritical

    Multiple redhat-cloud-services npm Packages compromised

    Multiple npm packages in the @redhat-cloud-services scope were compromised with malicious payloads. The attack used preinstall hooks to execute a multi-stage credential harvester targeting cloud and CI/CD platform secrets.

    MiasmanpmCompromised package
  4. activecritical

    Malware in @jagreehal/workflow

    Malware in @jagreehal/workflow Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to a

    MiasmanpmCompromised package
  5. activecritical

    Malware in autotel-terminal

    Malware in autotel-terminal Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an o

    MiasmanpmCompromised package
  6. activecritical

    Malware in @redhat-cloud-services/hcc-feo-mcp

    Malware in @redhat-cloud-services/hcc-feo-mcp Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have

    MiasmanpmAI agents & skillsCompromised package
  7. activecritical

    Malware in @redhat-cloud-services/rule-components

    Malware in @redhat-cloud-services/rule-components Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may h

    MiasmanpmCompromised package
  8. activecritical

    Malware in @redhat-cloud-services/frontend-components

    Malware in @redhat-cloud-services/frontend-components Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer m

    MiasmanpmCompromised package
  9. activecritical

    Malware in @redhat-cloud-services/quickstarts-client

    Malware in @redhat-cloud-services/quickstarts-client Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer ma

    MiasmanpmCompromised package
  10. activecritical

    Malware in @redhat-cloud-services/topological-inventory-client

    Malware in @redhat-cloud-services/topological-inventory-client Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the c

    MiasmanpmCompromised package
  11. activecritical

    Malware in @redhat-cloud-services/rbac-client

    Malware in @redhat-cloud-services/rbac-client Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have

    MiasmanpmCompromised package
  12. activecritical

    Malware in @redhat-cloud-services/frontend-components-remediations

    Malware in @redhat-cloud-services/frontend-components-remediations Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of t

    MiasmanpmCompromised package
  13. activecritical

    Malware in @redhat-cloud-services/sources-client

    Malware in @redhat-cloud-services/sources-client Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may ha

    MiasmanpmCompromised package
  14. activecritical

    Malware in @redhat-cloud-services/eslint-config-redhat-cloud-services

    Malware in @redhat-cloud-services/eslint-config-redhat-cloud-services Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control o

    MiasmanpmCompromised package
  15. activecritical

    Malware in @redhat-cloud-services/types

    Malware in @redhat-cloud-services/types Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been g

    MiasmanpmCompromised package
  16. activecritical

    Malware in @redhat-cloud-services/frontend-components-config

    Malware in @redhat-cloud-services/frontend-components-config Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the com

    MiasmanpmCompromised package
  17. activecritical

    Malware in @redhat-cloud-services/integrations-client

    Malware in @redhat-cloud-services/integrations-client Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer m

    MiasmanpmCompromised package
  18. activecritical

    Malware in @redhat-cloud-services/frontend-components-testing

    Malware in @redhat-cloud-services/frontend-components-testing Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the co

    MiasmanpmCompromised package
  19. activecritical

    Malware in @redhat-cloud-services/chrome

    Malware in @redhat-cloud-services/chrome Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been

    MiasmanpmCompromised package
  20. activecritical

    Malware in @redhat-cloud-services/frontend-components-config-utilities

    Malware in @redhat-cloud-services/frontend-components-config-utilities Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control

    MiasmanpmCompromised package
  21. activecritical

    Malware in @redhat-cloud-services/entitlements-client

    Malware in @redhat-cloud-services/entitlements-client Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer m

    MiasmanpmCompromised package