top of page
perceptive_background_267k.jpg

Red Hat npm packages compromised to steal developer credentials

Published:

1 June 2026 at 21:38:29

Alert date:

1 June 2026 at 22:04:03

Source:

bleepingcomputer.com

Click to open the original link from this advisory

Supply Chain & Dependencies, Ransomware & Malware, Data Breach & Exfiltration

Over 30 npm packages under Red Hat's '@redhat-cloud-services' namespace were compromised in a supply-chain attack. The attack distributed a new variant of the Shai-Hulud credential-stealing malware called 'Miasma'. This represents a significant supply chain compromise targeting developer credentials through trusted Red Hat packages. The attack affects the npm ecosystem and poses risks to developers using these packages.

Technical details

Attackers compromised a Red Hat employee's GitHub account to push malicious commits that added GitHub Actions workflows and scripts. The malicious workflow uses OIDC tokens to authenticate with npm's trusted publishing endpoint and publish backdoored packages. Compromised packages contained a preinstall script that executed a heavily obfuscated 4.2 MB index.js payload. The malware is a variant of Shai-Hulud called 'Miasma' that steals credentials including GitHub Actions secrets, AWS credentials, Google Cloud credentials, Azure service principal credentials, HashiCorp Vault tokens, Kubernetes tokens, npm/PyPI tokens, SSH keys, Docker credentials, GPG keys, and .env files.

Mitigation steps:

Organizations that installed any affected versions should immediately rotate all credentials, secrets, and tokens utilized by code on the infected device. Red Hat removed the affected packages from the npm registry.

Affected products:

@redhat-cloud-services npm packages (32 packages
96 package versions)
Red Hat internal development tooling

Related links:

https://www.aikido.dev/blog/red-hat-npm-packages-compromised-credential-stealing-worm
https://www.ox.security/blog/new-npm-supply-chain-attack-redhat-cloud-services-compromised/
https://www.bleepingcomputer.com/news/security/bitwarden-cli-npm-package-compromised-to-steal-developer-credentials/
https://www.bleepingcomputer.com/news/security/official-sap-npm-packages-compromised-to-steal-credentials/
https://www.bleepingcomputer.com/news/security/teampcp-hackers-advertise-mistral-ai-code-repos-for-sale/
https://www.bleepingcomputer.com/news/security/shai-hulud-attack-ships-signed-malicious-tanstack-mistral-npm-packages/
https://www.bleepingcomputer.com/news/security/openai-confirms-security-breach-in-tanstack-supply-chain-attack/
https://www.bleepingcomputer.com/news/security/github-links-repo-breach-to-tanstack-npm-supply-chain-attack/
https://www.ox.security/blog/shai-hulud-open-source-malware-github/
https://github.com/search?q=%22Miasma%3A+The+Spreading+Blight%22&type=repositories&s=updated&o=desc

Related CVE's:

Related threat actors:

IOC's:

Preinstall script: node index.js, Obfuscated index.js file (~4.2 MB), Miasma: The Spreading Blight comment string in compromised repositories, GitHub Actions workflow with OIDC_PACKAGES environment variable, _index.js script that abuses npm publishing mechanism

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Disclaimer: Deze website toont informatie afkomstig van externe bronnen. Perceptive aanvaardt geen verantwoordelijkheid voor de inhoud, juistheid of volledigheid van deze informatie.

bottom of page