Preinstall to persistence: Inside the Red Hat npm Miasma credential-stealing campaign

Source Metadata

• Source: Microsoft Security Blog
• Canonical URL: https://www.microsoft.com/en-us/security/blog/2026/06/02/preinstall-persistence-inside-red-hat-npm-miasma-credential-stealing-campaign/
• Additional references: none
• Published at: Wed, 03 Jun 2026 04:45:06 +0000
• Fetched at: 2026-06-04T00:24:29Z
• Trust level: vendor

Why It Matters

• Source type: Threat Intelligence
• Severity hint: high (Compromise, credential-theft, malware, or supply-chain signal.)
• Extracted signals: supply-chain attack

What SecOpsAI Can Detect

SecOpsAI can help operators review token exposure, credential-rotation tasks, CI/CD workflow risk, and SOC findings related to secret leakage or suspicious authentication activity.

Extracted Intelligence

CVEs

• None found deterministically; reviewer should confirm source details.

Affected Packages Or Products

• npm

IOCs

• None found deterministically; reviewer should add source-backed indicators if present.

Recommended Actions

• Rotate affected tokens or credentials if exposure is plausible.
• Review GitHub Actions, OIDC trust relationships, OAuth grants, and cloud roles.
• Check audit logs for suspicious use of impacted credentials or identities.
• Tighten token scopes and remove stale non-human identities where possible.
• Review extracted package references: npm.

Operator Commands

secopsai triage summary
secopsai research preflight
secopsai supply-chain advisory list
secopsai blog news-review show news-351daec4f3181d58-preinstall-to-persistence-inside-the-red-hat-npm-miasma-credential-s

References

• https://www.microsoft.com/en-us/security/blog/2026/06/02/preinstall-persistence-inside-red-hat-npm-miasma-credential-stealing-campaign/