The campaign, which Wiz researchers are tracking as Miasma, is thought to be the latest evolution of Shai-Hulud, a self-propagating malware family that has repeatedly surfaced in software supply chain attacks targeting the npm ecosystem.
“Investigation revealed that at least 32 package releases contained unauthorized modifications that do not match the corresponding source repositories,” Wiz researchers said in a blog post. “These packages cumulatively average ~80,000 weekly downloads.”
The worm also appears to be expanding its ambitions. Wiz noted that Miasma includes new collectors for Google Cloud and Azure identities, extending its focus from credential theft to mapping and potentially exploiting cloud access available from compromised developer environments.
By compromising packages associated with Red Hat Cloud Services, the attackers are targeting a software ecosystem that many organisations already trust. The good news is that most of the packages feared to be infected are already removed, the researchers noted.
