{"id":16308,"date":"2026-06-02T12:16:08","date_gmt":"2026-06-02T12:16:08","guid":{"rendered":"https:\/\/newestek.com\/?p=16308"},"modified":"2026-06-02T12:16:08","modified_gmt":"2026-06-02T12:16:08","slug":"infected-red-hat-npm-packages-expose-developer-credentials","status":"publish","type":"post","link":"https:\/\/newestek.com\/?p=16308","title":{"rendered":"Infected Red Hat npm packages expose developer credentials"},"content":{"rendered":"<div>\n<div id=\"remove_no_follow\">\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<section class=\"wp-block-bigbite-multi-title\">\n<div class=\"container\"><\/div>\n<\/section>\n<p>Developers who pulled packages from Red Hat\u2019s @redhat-cloud-services npm namespace over the weekend got a secret-stealing worm instead.<\/p>\n<p>Security researchers from several cybersecurity outlets are warning of a new supply chain attack compromising over 30 Red Hat Cloud Services-related npm packages to steal credentials, authentication tokens, and other secrets from developer environments.<\/p>\n<p>The campaign, which Wiz researchers are tracking as Miasma, is thought to be the latest evolution of <a href=\"https:\/\/www.csoonline.com\/article\/4123250\/shai-hulud-co-the-supply-chain-as-the-achilles-heel.html\">Shai-Hulud<\/a>, a self-propagating malware family that has repeatedly surfaced in software supply chain attacks targeting the npm ecosystem.<\/p>\n<p>\u201cInvestigation revealed that at least 32 package releases contained unauthorized modifications that do not match the corresponding source repositories,\u201d Wiz researchers said in a blog <a href=\"https:\/\/www.wiz.io\/blog\/miasma-supply-chain-attack-targeting-redhat-npm-packages\" target=\"_blank\" rel=\"noreferrer noopener\">post<\/a>. \u201cThese packages cumulatively average ~80,000 weekly downloads.\u201c<\/p>\n<p>By compromising packages associated with Red Hat Cloud Services, the attackers are targeting a software ecosystem that many organisations already trust. The good news is that most of the packages feared to be infected are already removed, the researchers noted.<\/p>\n<h2 class=\"wp-block-heading\"><a><\/a>Shai Hulud came for trusted packages<\/h2>\n<p>According to <a href=\"https:\/\/www.aikido.dev\/blog\/red-hat-npm-packages-compromised-credential-stealing-worm\">reports<\/a>, attackers compromised npm packages published under Red Hat Cloud Services-related namespace and inserted malware capable of executing automatically during package installation.<\/p>\n<p>The malicious payload was designed to steal a wide range of credentials and secrets from infected environments. Researchers observed attempts to collect npm authentication tokens, environment variables, cloud credentials, and other sensitive information commonly stored on developer workstations and CI\/CD systems.<\/p>\n<p>Wiz\u2019s analysis found that the malware belonged to the Mini Shai-Hulud family, a credential-stealing threat that has repeatedly appeared in npm ecosystem attacks throughout the year. \u201cThe payload appears to be derived from the (Mini) Shai-Hulud malware open-sourced by TeamPCP,\u201d the researchers said. \u201cThe observed modifications are largely cosmetic, with references to the Dune universe replaced by Greek mythology themes (i.e., \u2018spartan\u2019), while the underlying functionality and tradecraft remain substantially similar.\u201d<\/p>\n<p>The malware variant was seen creating repositories containing the description \u201cMiasma: The Spreading Blight.\u201d<\/p>\n<h2 class=\"wp-block-heading\"><a><\/a>Supply chain is the focus, again.<\/h2>\n<p>While credential theft was an immediate objective, researchers say the campaign\u2019s broader goal appears to have been persistence and expansion within software distribution ecosystems.<\/p>\n<p>According to Wiz, the malware actively searched for credentials associated with package publishing workflows. OX Security similarly <a href=\"https:\/\/www.ox.security\/blog\/new-npm-supply-chain-attack-redhat-cloud-services-compromised\/\">noted<\/a> that the code targeted secrets that could enable attackers to move beyond the initially compromised packages and gain access to additional developer accounts and repositories.<\/p>\n<p>Wiz also found that the attackers modified package publishing workflows to make the malicious releases appear legitimate. A GitHub Actions workflow requested GitHub OpenID Connect (OIDC) identity tokens and executed an obfuscated payload that published packages with valid <a href=\"https:\/\/www.csoonline.com\/article\/575067\/openssf-releases-slsa-v1-0-adds-software-supply-chain-specific-tracks.html\">SLSA<\/a> provenance attestations. This allowed the compromised releases to carry trusted supply-chain metadata.<\/p>\n<p>The technique draws from TeamPCP\u2019s earlier attack against <a href=\"https:\/\/www.csoonline.com\/article\/4170284\/mistral-ai-sdk-tanstack-router-hit-in-npm-software-supply-chain-attack.html\">TanStack<\/a>, the threat actor behind open-sourcing the Mini Shai-Hulud malware. Parallels with the threat actor\u2019s code were observed in the recent Megalodon campaign, too, indicating an active spill over from the months-old supply chain rampage.<\/p>\n<p>For affected organizations, the immediate priority is determining whether the malicious packages were installed and whether any credentials may have been exposed. The researchers recommended rotating potentially compromised secrets, revoking and reissuing npm publishing tokens, and reviewing repository and package publishing activities.<\/p>\n<p>Wiz researchers said \u201cmost\u201d malicious versions were revoked at the time of publishing the disclosure. It also shared a list of indicators of compromise (IOCs) along with the names of infected packages for additional support.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>Developers who pulled packages from Red Hat\u2019s @redhat-cloud-services npm namespace over the weekend got a secret-stealing worm instead. Security researchers from several cybersecurity outlets are warning of a new supply chain attack compromising over 30 Red Hat Cloud Services-related npm packages to steal credentials, authentication tokens, and other secrets from developer environments. The campaign, which Wiz researchers are tracking as Miasma, is thought to be&#8230; <\/p>\n<p class=\"more\"><a class=\"more-link\" href=\"https:\/\/newestek.com\/?p=16308\">Read More<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-16308","post","type-post","status-publish","format-standard","hentry","category-uncategorized","is-cat-link-borders-light is-cat-link-rounded"],"_links":{"self":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/16308","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=16308"}],"version-history":[{"count":0,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/16308\/revisions"}],"wp:attachment":[{"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=16308"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=16308"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=16308"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}