Red Hat npm supply-chain attack backdoors 32 packages with credential-stealing worm
Red Hat's npm namespace compromised: 96 versions infected, 116K weekly downloads.
Red Hat's npm supply-chain attack exploited a compromised GitHub account to inject malicious preinstall hooks into 32 packages (96 versions) of the @redhat-cloud-services namespace. The malware, a variant of the Mini Shai-Hulud worm dubbed Miasma, was pushed via GitHub Actions OIDC tokens. Each download (cumulatively 116,991 per week) executed a payload that steals secrets from GitHub, AWS, SSH, and other environments. Red Hat has removed the packages but hasn't published a full post-mortem.
The worm's self-spreading behavior is particularly dangerous: once on a machine with npm publishing access, it republishes every package the user can manage with the same malicious hook, turning victims into attackers. Security firms link the attack to broader campaigns targeting CI/CD pipelines. Users of @redhat-cloud-services packages should rotate all tokens, revoke compromised OIDC credentials, and audit their environments for signs of credential theft.
- 96 versions across 32 Red Hat npm packages backdoored with Miasma worm variant, downloaded 116,991 times weekly
- Attack used compromised GitHub account and GitHub Actions OIDC tokens to inject preinstall hooks
- Worm steals credentials from GitHub, AWS, SSH, CI/CD systems and spreads by republishing malicious packages
Why It Matters
Supply-chain attacks like this compromise downstream users; organizations must audit npm dependencies and secure CI/CD pipelines.