PANews reported on June 2nd that SlowMist has detected an active npm supply chain attack targeting Red Hat cloud service packages. The report shows that over 31 packages are affected, with approximately 116,000 downloads per week, and over 300 GitHub repositories contain stolen credentials. The attack techniques are highly similar to previous Shai-Hulud npm attacks, including credential collection, malicious repository creation, and automated key leakage. Searching GitHub using the tag "Miasma: The Spreading Blight" and sorting by recent updates still reveals newly appearing suspicious repositories, indicating that users are still being compromised.

Potential attacker behaviors include GitHub and npm token theft, AWS, GCP, and Azure credential theft, SSH and Kubernetes key collection, local environment and wallet data breaches, malicious GitHub repository creation, persistent persistence, and disruptive behavior upon token revocation. SlowMist recommends immediately removing or downgrading affected versions, auditing CI/CD pipelines and dependency installations, rotating relevant keys and credentials, maintaining logs, and rebuilding exposed development machines or runtime environments from clean images.