Dozens of Red Hat packages backdoored through its offical NPM channel
- On Monday, attackers compromised a Red Hat employee's GitHub account to distribute npm packages infected with a new malware variant dubbed "Miasma." The IBM-owned software firm's compromised account pushed malicious code to multiple repositories.
- This attack utilizes a derivative of the Shai-Hulud worm, which the TeamPCP cybercriminal group open-sourced last month, enabling other threat actors to modify the framework for credential theft operations.
- Security firm Aikido identified 32 packages and 96 versions affected, which receive around 80,000 weekly downloads; the malicious 4.2 MB payload automatically executes during npm installation to steal cloud credentials and tokens.
- Red Hat immediately removed the packages from the npm registry and stated no customer or production systems were impacted, though the firm advises all users to rotate credentials, secrets, and tokens immediately.
- Security firm Wiz warns that Miasma represents an increased attacker focus on cloud infrastructure; the variant adds advanced obfuscation and targets Microsoft Azure and Google Cloud identities beyond traditional secret theft.
20 Articles
20 Articles
Shai-Hulud malware worms Red Hat npm package versions downloaded 80K times a week
Security researchers on Monday found dozens of Red Hat npm package releases infected with the Mini Shai-Hulud worm that TeamPCP cybercriminals recently open-sourced. The new supply chain attack hit at least 32 npm package releases published under the Red Hat Cloud Services namespace, according to security researchers from Google-owned Wiz, who traced the malware to one Red Hat employee’s compromised GitHub account. They said the affected package…
Dozens of Red Hat packages backdoored through its offical NPM channel
Official Red Hat NPM accounts have been compromised and used to push a malicious worm that spreads from machine to machine, where it pilfers sensitive credentials in hopes of stealing yet more confidential data, researchers said. The supply-chain attack began Monday and remained active at the time this post went live, according to researchers at security firm Aikido. It’s the result of the threat actor responsible for the hack taking control of …
Red Hat npm packages compromised to steal developer credentials
More than 30 npm packages under Red Hat's '@redhat-cloud-services' namespace were compromised in a supply-chain attack that distributed a new variant of the Shai-Hulud credential-stealing malware, dubbed
Red Hat Confirms Supply Chain Compromise of @redhat-cloud-services npm Packages
Red Hat has officially confirmed a supply chain compromise affecting multiple packages published under the @redhat-cloud-services npm namespace, disclosed publicly on June 1, 2026. A compromised GitHub account was used to inject malicious code into frontend libraries maintained within a Red Hat GitHub organization, raising significant concern across enterprise environments that depend on these packages during container image builds. According to…
Coverage Details
Bias Distribution
- 100% of the sources are Center
Factuality
To view factuality data please Upgrade to Premium
