FILTERING BY: CLEAR FILTER

IBM and Red Hat Launch Project Lightwell to Mitigate Miasma-Style Supply Chain Worms

The Miasma supply chain campaign compromised the @redhat-cloud-services npm namespace by utilizing compromised GitHub accounts to push orphaned commits, effectively bypassing code review. Attackers exploited GitHub Actions OIDC identity tokens to publish malicious packages with valid SLSA provenance attestations, deploying a derivative of the Mini Shai-Hulud worm. This 4.2 MB obfuscated payload targets credentials for AWS, GCP, Azure, Kubernetes, and HashiCorp Vault while self-propagating via stolen npm tokens. In response, IBM and Red Hat launched Project Lightwell, a $5 billion AI-driven security clearinghouse designed to automate the validation and backporting of security fixes across the open-source ecosystem.


LINK COPIED TO CLIPBOARD