Attackers Tainted 32 Red Hat npm Releases, Exposing Secrets Across 80,000 Weekly Downloads
Updated
Updated · InfoWorld · Jun 2
Attackers Tainted 32 Red Hat npm Releases, Exposing Secrets Across 80,000 Weekly Downloads
3 articles · Updated · InfoWorld · Jun 2
At least 32 releases in Red Hat’s @redhat-cloud-services npm namespace were found with unauthorized code that turned package installs into a secret-stealing worm, and most malicious versions have already been revoked.
Wiz said the malware harvested npm tokens, environment variables, cloud credentials and other secrets from developer machines and CI/CD systems, aiming to spread by capturing package-publishing access.
The attackers also altered GitHub Actions workflows to request OIDC tokens and publish poisoned packages with valid SLSA provenance, making the releases look legitimate inside trusted software pipelines.
Wiz linked the campaign, dubbed Miasma, to the Mini Shai-Hulud malware family seen in earlier npm supply-chain attacks, including code patterns tied to TeamPCP and recent spillover into other package compromises.
Affected organizations were urged to check whether the packages were installed, rotate exposed secrets, revoke and reissue npm publishing tokens, and review repository and publishing activity using shared IOCs.
How can developers defend against malware that forges legitimate security attestations to appear safe?
Are automated CI/CD pipelines and AI coding tools the new frontline for sophisticated supply chain attacks?
How did attackers bypass modern security like 2FA and OIDC with just one compromised developer account?
Inside the 2026 Red Hat npm Breach: How 32 Compromised Packages Exposed Millions to Credential-Stealing Malware
Overview
In early June 2026, a major supply chain attack was discovered targeting npm packages under the @redhat-cloud-services scope. StepSecurity researchers found that several packages were distributing malware that executed automatically during every npm install, exposing any project that installed or pinned to the compromised versions. The malware, identified as 'Miasma: The Spreading Blight,' was quickly recognized, and maintainers responded by releasing clean versions for all 32 affected packages. The malicious releases were then pulled from npm, helping to contain the threat and protect the open-source community from further compromise.