More than 30 npm packages under Red Hat’s '@redhat-cloud-services' namespace were compromised in a supply-chain attack that distributed a new variant of the Shai-Hulud credential-stealing malware, dubbed "Miasma." Security researchers at Aikido, OX Security, and Wiz confirmed the breach, which saw malicious commits pushed directly to Red Hat repositories via a compromised employee GitHub account.
The scope of the impact varies by report. Aikido estimated the affected packages receive roughly 117,000 weekly downloads, while Google-owned Wiz reported approximately 80,000 weekly downloads. Socket, a supply-chain security firm, identified 95 compromised package versions as of 11:00:22 UTC on June 1, 2026, and urged organizations to assume compromise and rotate credentials if they have installed any of the poisoned versions.
According to researchers at Wiz, the attackers bypassed standard code review processes by pushing "malicious orphan commits" to two RedHatInsights repositories. This activity occurred across two distinct waves, with the malware utilizing a preinstall hook to execute a hidden payload automatically during the npm install process.
Socket’s analysis indicates that the payload is designed to exfiltrate sensitive data, including GitHub Actions secrets, npm tokens, cloud credentials, Kubernetes and Vault material, SSH keys, and Git credentials. The malware is identified as a variant of the "Mini Shai-Hulud" worm, which was recently open-sourced by the cybercriminal group TeamPCP.
Red Hat confirmed the removal of the affected packages following the discovery. "Red Hat is aware of security reports regarding certain npm packages within our development tooling ecosystem," the company stated to BleepingComputer. "We immediately initiated an investigation and removed the packages from the npm registry."
Red Hat maintained that the damage was contained within its internal development environment. "The packages are strictly limited to internal development, and the malicious code was never published for customer consumption via the console.redhat.com system," the company said. "While our investigation is ongoing, we have not identified any impact to customer or partner environments or Red Hat production systems."
Despite these assurances, Red Hat did not disclose the specific method used to compromise the employee's GitHub account. Security researchers continue to monitor the situation, with Wiz characterizing the incident as a "live threat" and continuing to track potential new developments.
