Infected Red Hat npm packages expose developer credentials

The Miasma Breach

Red Hat’s development tooling ecosystem was compromised with a malware variant called Miasma. This malware is a new variant of the Shai-Hulud credential-stealing malware. It’s designed to steal developer credentials, cloud secrets, SSH keys, CI/CD tokens, and other sensitive information. The compromise was limited to internal development tooling. No malicious code was published for customer consumption via the console.redhat.com system.

More than 30 npm packages under Red Hat’s ‘@redhat-cloud-services’ namespace were involved in the security incident. These packages received roughly 117,000 weekly downloads. This is a big deal. The potential for widespread impact is huge.

Unpacking the Attack

Developers who use Red Hat’s ‘@redhat-cloud-services’ namespace on npm are affected. The malware targets platforms like GitHub, AWS, GCP, and Azure to steal identities, tokens, and credentials. To mitigate this threat, developers should remove affected packages from the npm registry. They should investigate and secure compromised GitHub accounts. Updating npm packages to versions prior to the compromise is also crucial. Rotating and updating AWS, GCP, and Azure keys, tokens, and credentials is necessary. Revoking and updating GitHub Actions tokens is a must.

The Miasma malware is bad news. It can steal sensitive information. This is not the first time we’ve seen something like this. The Shai-Hulud malware has been around for a while.

Aftermath and Response

The evolution of the Shai-Hulud malware to target additional cloud providers is a concern. Attackers are continually adapting to exploit weaknesses in the software development lifecycle. This incident is the latest in a string of supply-chain attacks targeting the npm ecosystem. It highlights the ongoing vulnerability of open-source software repositories to malicious actors.

Security firms Aikido and OX Security discovered the incident. This shows the importance of continuous monitoring and collaboration between security researchers and vendors. Implementing code review processes to prevent similar compromises is a good idea. Monitoring for suspicious activity in developer environments is also recommended. Tools like Orca or Wiz can be used to detect and respond to malware infections.

The timeline of events unfolded rapidly. Developers pulled packages from Red Hat’s @redhat-cloud-services npm namespace and got a secret-stealing worm instead. The compromised packages were published in GitHub source repositories on June 1, 2026. After discovery, Red Hat removed the affected packages from the npm registry. They stated that the compromise was limited to internal development tooling.

For Defenders

Red Hat’s investigation is ongoing. They have not identified any impact to customer or partner environments or Red Hat production systems. However, the potential for widespread impact remains a concern. Developers should take immediate action to secure their environments and prevent similar compromises. Removing affected packages, investigating and securing compromised accounts, and updating npm packages is a good start. By taking these steps, developers can help prevent the spread of the Miasma malware and protect their sensitive information.

Sources

1. https://securitylabs.datadoghq.com/articles/shai-hulud-open-source-framework-static-analysis/
2. https://github.com/RedHatInsights
3. https://orca.security/blog
4. https://www.bleepingcomputer.com/
5. https://www.helpnetsecurity.com/