Infected Red Hat npm Packages Leak Credentials
The Miasma Breach
Red Hat’s development tooling ecosystem was compromised with a malware variant called Miasma. This malware is a new variant of the Shai-Hulud credential-stealing malware. It’s designed to steal developer credentials, cloud secrets, SSH keys, CI/CD tokens, and other sensitive information. The compromise was limited to internal development tooling. No malicious code was published for customer consumption via the console.redhat.com system.
More than 30 npm packages under Red Hat’s ‘@redhat-cloud-services’ namespace were involved in the security incident. These packages received roughly 117,000 weekly downloads. This is a big deal. The potential for widespread impact is huge.
Unpacking the Attack
Developers who use Red Hat’s ‘@redhat-cloud-services’ namespace on npm are affected. The malware targets platforms like GitHub, AWS, GCP, and Azure to steal identities, tokens, and credentials. To mitigate this threat, developers should remove affected packages from the npm registry. They should investigate and secure compromised GitHub accounts. Updating npm packages to versions prior to the compromise is also crucial. Rotating and updating AWS, GCP, and Azure keys, tokens, and credentials is necessary. Revoking and updating GitHub Actions tokens is a must.
The Miasma malware is bad news. It can steal sensitive information. This is not the first time we’ve seen something like this. The Shai-Hulud malware has been around for a while.
Aftermath and Response
The evolution of the Shai-Hulud malware to target additional cloud providers is a concern. Attackers are continually adapting to exploit weaknesses in the software development lifecycle. This incident is the latest in a string of supply-chain attacks targeting the npm ecosystem. It highlights the ongoing vulnerability of open-source software repositories to malicious actors.
Security firms Aikido and OX Security discovered the incident. This shows the importance of continuous monitoring and collaboration between security researchers and vendors. Implementing code review processes to prevent similar compromises is a good idea. Monitoring for suspicious activity in developer environments is also recommended. Tools like Orca or Wiz can be used to detect and respond to malware infections.
The timeline of events unfolded rapidly. Developers pulled packages from Red Hat’s @redhat-cloud-services npm namespace and got a secret-stealing worm instead. The compromised packages were published in GitHub source repositories on June 1, 2026. After discovery, Red Hat removed the affected packages from the npm registry. They stated that the compromise was limited to internal development tooling.
For Defenders
Red Hat’s investigation is ongoing. They have not identified any impact to customer or partner environments or Red Hat production systems. However, the potential for widespread impact remains a concern. Developers should take immediate action to secure their environments and prevent similar compromises. Removing affected packages, investigating and securing compromised accounts, and updating npm packages is a good start. By taking these steps, developers can help prevent the spread of the Miasma malware and protect their sensitive information.
Sources
- https://securitylabs.datadoghq.com/articles/shai-hulud-open-source-framework-static-analysis/
- https://github.com/RedHatInsights
- https://orca.security/resources/blog/
- https://www.bleepingcomputer.com/
- https://www.helpnetsecurity.com/
Automated and analyst-reviewed threat intelligence briefings tracking active exploitation campaigns, CVE disclosures, and extortion group activity.
Security Digest
Get the latest cybersecurity news, vulnerability alerts, and threat intelligence delivered to your inbox.
Related Articles
Secure Amazon container workloads using container attribute-based rules in AWS Network Firewall
If you run AI and machine learning (ML) workloads on Amazon EKS, such as model inference, RAG pipelines, or JupyterHub, your containerized workloads require the same firewall protections you enforce f...
TechnologyICANN Sets October 2026 DNS Trust Anchor Rollover
The Domain Name System, or DNS, is getting a major update to its security protocol. This update, scheduled for October 2026, affects the DNS Security Extensions root zone Key Signing Key, a crucial co...
TechnologyDell BIOS Flaw Lets Attackers Recover Admin Passwords From SPI Flash in Milliseconds Cybersecurity
Tracked as CVE-2026-40639 and addressed in Dell Security Advisory DSA-2026-197, the issue affects certain Dell client platforms that use the proprietary DVAR...
TechnologyWeekly Metasploit Update: Exploits for FlowiseAI CSV Agent and MacOS Package Kit Cybersecurity
Flowise CSV Agent Prompt Injection RCE Authors: Takahiro Yokoyama and zdi-disclosures Type: Exploit Pull request: 21407 contributed by Takahiro-Yoko Path...