🚨 SlowMist TI Alert 🚨 MistEye has detected an active npm supply-chain attack compromising @redhat-cloud-services packages. Reported impact includes 31+ affected packages, about 116,282 weekly downloads, and 300+ GitHub repositories containing stolen credentials. The attack techniques show strong similarities to the previous Shai-Hulud npm campaign, including credential harvesting, malicious repository creation, and automated secret exfiltration. Public GitHub searches for the “Miasma: The Spreading Blight” marker, sorted by recent updates, still show newly appearing suspicious repositories, indicating that users are still being compromised. Potential attacker actions include GitHub/npm token theft, AWS/GCP/Azure credential theft, SSH key and Kubernetes secret collection, local environment and wallet data exfiltration, malicious GitHub repository creation, persistence, and destructive behavior if stolen tokens are revoked. Immediately remove or downgrade affected @redhat-cloud-services package versions, audit CI/CD workflows and dependency installs, rotate GitHub, npm, cloud, SSH, and wallet-related secrets, preserve logs, and rebuild exposed developer machines or runners from clean images. As always, stay vigilant! Live hunt: