Lead Story | Critical — Active Credential Exfiltration | Dev · Cloud+DevOps |
|
Miasma Worm Hits 32 Official Red Hat Cloud Services npm Packages — Cloud and CI/CD Credentials at Risk
Wiz Research identified a supply chain compromise on June 1 in which a credential-stealing worm, injected via a compromised Red Hat employee’s GitHub account, was embedded in 96 package versions that execute a cloud credential exfiltrator on every npm install since discovery.
Wiz Research identified the compromise on June 1. A hijacked Red Hat employee GitHub account gave the attacker trusted publish access to the @redhat-cloud-services namespace. Using it, they planted orphan commits — parentless branches that sidestep code review — in two RedHatInsights repositories and let the repositories’ own GitHub Actions OIDC tokens authorize the malicious npm releases, tainting 32 packages. Those packages average 80,000 weekly downloads across enterprise cloud tooling — container platform SDKs, management interfaces, and analytics clients. Wiz Research → JFrog Security Research →
The embedded malware is Miasma, a new variant of the Mini Shai-Hulud credential-stealing worm whose source tools were open-sourced by TeamPCP earlier this year. A large, obfuscated preinstall hook executes automatically on npm install before any application code runs, then exfiltrates secrets from AWS, Azure, GCP, HashiCorp Vault, Kubernetes, GitHub Actions OIDC tokens, Bitwarden, and 1Password to attacker-controlled public GitHub repositories. Attribution is unconfirmed — any actor can deploy the open-sourced toolset. The Hacker News →
→ Key Takeaway Any npm install of @redhat-cloud-services packages since June 1 should be treated as a credential compromise — the worm fires before application code runs, making conventional endpoint detection ineffective. JFrog Security Research confirmed 96 malicious package versions across 32 packages; remove affected versions from your dependency tree and package lock files immediately. Action: Ask your engineering and platform teams to audit all pipeline builds run since June 1 for @redhat-cloud-services dependencies, rotate every CI/CD secret, cloud credential, SSH key, and npm token from those environments, and re-run builds from a clean state. |
Quick Hits
| 01 |
Palo Alto GlobalProtect Authentication Bypass CVE-2026-0257 Weaponized in Ongoing VPN Campaign
Rapid7 MDR confirmed active exploitation of CVE-2026-0257 in customer environments since May 17, with attackers forging authentication-override cookies to establish unauthorized VPN sessions on GlobalProtect portals where the override certificate is shared with the HTTPS service — a misconfiguration present in many default deployments. CISA added the flaw to its Known Exploited Vulnerabilities catalogue on May 29, confirming active exploitation. Palo Alto Networks has published patches for affected PAN-OS versions; organizations that cannot patch immediately should generate a dedicated certificate for the authentication override feature to close the attack path. Rapid7 → Palo Alto Advisory →
| High — Active Exploitation Confirmed | Enterprise · IT Ops |
|
CVE Watch
|
CVE Watch
CVE-2026-41089 (Windows Netlogon): 0-Click Pre-Auth RCE Actively Exploited Against Domain Controllers — Patch Tuesday Fix Available
CVE-2026-41089 is a stack-based buffer overflow in Windows Netlogon that allows an unauthenticated attacker to send a crafted network packet to any domain controller and achieve SYSTEM-level code execution — no credentials, no user interaction, no privileges required. The Centre for Cybersecurity Belgium updated its May Patch Tuesday advisory to confirm active exploitation in the wild, rating it their highest-priority patching action after testing. The flaw carries a CVSS 9.8 (Microsoft CVSS 3.1; NVD enrichment pending) and affects all currently supported Windows Server versions, including Server 2025; Microsoft issued the patch on May 12, 2026 as part of its May Patch Tuesday release. An unpatched domain controller exposed to the network represents an unauthenticated path to complete Active Directory compromise. NVD → Bleeping Computer →
| Vendor: Microsoft · CVE: CVE-2026-41089 · CVSS: 9.8 (Microsoft CVSS 3.1; NVD enrichment pending) · Attack Vector: Network (unauthenticated, no user interaction) · Affected: All supported Windows Server versions (incl. Server 2025) · Fix: May 2026 Patch Tuesday (May 12, 2026) · Status: Active exploitation confirmed in the wild (Centre for Cybersecurity Belgium; reported June 1, 2026) |
|
Compliance Tip of the Day
|
NIST CSF 2.0 — PR.AA-04 — Protect: Identity Management, Authentication, and Access Control
Treat CI/CD Pipeline OIDC Tokens as First-Class Identity Credentials, Not Background Plumbing
NIST CSF 2.0 PR.AA-04 requires that “Identity assertions are protected, conveyed, and verified” — and the Miasma attack exploited precisely the gap this control addresses: GitHub Actions OIDC tokens were abused to publish malicious npm packages because the compromised account lacked the scope controls and signing verification that a formal identity assertion policy would have enforced. Any CI/CD pipeline using short-lived identity tokens — OIDC, service accounts, or machine identities — should have scope restrictions, signing requirements, and rotation policies as stringent as those applied to human user accounts. Action: Ask your platform engineering team to enumerate every system that accepts OIDC tokens or machine credentials as authentication, confirm each carries a least-privilege scope definition and an audit log, and flag any pipeline that can publish to a package registry or cloud environment without a second-party approval gate. NIST CSF 2.0 reference: csf.tools/pr-aa-04 →
|
On Our Radar
UEFI Secure Boot KEK certificate expiry — June 24, 2026 (22 days): Microsoft’s Corporation KEK CA 2011 expires June 24; the UEFI CA 2011 follows June 27; the Windows Production PCA 2011 expires October 2026. Organizations with dual-boot Linux configurations or air-gapped systems not receiving automatic firmware updates should confirm remediation plans now. Tracking since Issue #039. Microsoft Support →
|
