THREAT OPS › Threat News › What the Miasma campaign reveals about the new supply chain threat model and the underground market for developer credentials
What the Miasma campaign reveals about the new supply chain threat model and the underground market for developer credentials
<p>A stolen session cookie sat in underground markets for seven weeks before attackers used it to poison 32 Red Hat packages in the npm software registry, an example of the industrial approach behind modern supply chain attacks.</p><div class="blog-see-also"><div class="col-sm-12"><h2>Key takeaways</h2><ol><li>Miasma is a self-propagating npm worm derived from <a href="https://www.tenable.com/blog
Attributed threat actors
MITRE ATT&CK techniques
Indicators of compromise
- https://devops.com/github-takes-down-73-microsoft-repos-after-miasma-worm-attack/url
- https://openssf.org/projects/slsa/url
- https://whiteintel.io/blog/red-hat-miasma-supply-chain-attackurl
- https://arstechnica.com/security/2026/03/widely-used-trivy-scanner-compromised-in-ongoing-supply-chain-attack/url
- https://spycloud.com/resource/report/spycloud-annual-identity-exposure-report-2025/url
- https://cybersecuritynews.com/binding-gyp-supply-chain-attack-compromises-dozens-of-npm-packages/url
- https://connect.tenable.com/category/news-you-need/discussions/vulnerability-watchurl