Back Issues This Week → Calendar → Current Issue → Popular →

All issuesVolume 339, Issue 4IT Vendor NewsTenable

What the Miasma Campaign Reveals About the New Supply Chain Threat Model and the Underground Market for Developer Credentials

Tenable, Tuesday, June 23rd, 2026

Tenable Research details the Miasma npm supply-chain campaign and an emerging market for stolen developer credentials.

The Miasma campaign was a sophisticated supply-chain attack that compromised more than 89 npm packages using a stolen Red Hat developer credential that sat in underground markets for seven weeks before weaponization.

It introduced valid SLSA provenance attestations on malicious packages, novel techniques bypassing install-script monitoring, and persistence mechanisms targeting AI coding assistants like Claude Code and Cursor.

Tenable Research frames this as evidence of a structured Developer Credential Economy where credentials are harvested, traded, and weaponized. Open-sourcing of the toolchain risks copycat campaigns across npm, PyPI, and GitHub.

more →  ·  More from Tenable →