More than 30 npm packages in Red Hat's @redhat-cloud-services namespace were compromised and used to deliver credential-stealing malware to developers who installed them. Researchers say attackers likely took over a Red Hat employee GitHub account, added malicious GitHub Actions workflows, and abused npm trusted publishing to release 96 backdoored package versions. The malware, a new Shai-Hulud variant dubbed Miasma, targeted GitHub Actions secrets, cloud credentials, SSH keys, package publishing tokens, Vault tokens, Kubernetes service-account tokens, Docker credentials, GPG keys, and .env files.
Why it matters: Developers and organizations that installed the affected packages may have had sensitive keys and tokens stolen, which can lead to wider compromise of code, cloud systems, and build pipelines. This is urgent: identify affected installs, remove the packages, and rotate all credentials and secrets that were present on impacted machines or CI/CD systems.
Bill Toulas
2026.06.10
67% relevant
The article says Miasma was previously linked to the Red Hat npm package compromise and provides new technical context on the malware family behind that event, including credential theft from build environments, cloud services, and CI/CD pipelines and its self-propagating package poisoning behavior.
Ionut Arghire
2026.06.09
86% relevant
The piece explicitly identifies the Red Hat npm package incident as the first June 1 Miasma wave, adding that it was part of a broader coordinated Shai-Hulud outbreak affecting dozens more npm and PyPI packages.
2026.06.02
98% relevant
This article is a direct update on the same Red Hat package compromise, adding that 32 affected packages were being downloaded about 117,000 times per week, that Red Hat traced distribution to a compromised GitHub account, removed the packages, and linked the malware to a Mini Shai-Hulud variant dubbed Miasma.
Ionut Arghire
2026.06.02
98% relevant
This article covers the same Red Hat npm supply-chain attack and adds specifics on the timing and scale of publication (96 malicious versions across 32 packages in 72 seconds), suspected access path (CI/CD or npm scope credentials), links to the Mini Shai-Hulud-style worm, and evidence that at least 210 repositories may contain stolen credentials.
2026.06.01
98% relevant
This directly updates the same Red Hat npm supply-chain compromise, adding that at least 32 package releases in the @redhat-cloud-services namespace were infected with a Mini Shai-Hulud variant, tied by Wiz to a compromised Red Hat employee GitHub account, with package download volume around 80,000 per week and expanded Azure/GCP credential theft behavior.
Lawrence Abrams
2026.06.01
100% relevant
This article establishes a distinct supply-chain incident centered on compromised Red Hat npm packages and a Miasma/Shai-Hulud credential-stealing payload, not the same underlying event as the existing @antv Mini Shai-Hulud story or other tracked package compromises.
← Back to all stories