Security WeekArchived Jun 02, 2026✓ Full text saved
Hackers published 96 malicious package versions, injected with a credential-stealing worm similar to Mini Shai-Hulud. The post Supply Chain Attack Hits 32 Red Hat NPM Packages appeared first on SecurityWeek .
Full text archived locally
✦ AI Summary· Claude Sonnet
On Monday, hackers hit Red Hat’s NPM repository in a new supply chain attack, publishing malicious versions of 32 packages to distribute a credential-stealing worm.
Within a 72-second window, the threat actor published poisoned iterations across all 32 packages, likely using automation, ReversingLabs notes.
The affected packages cover the entire Red Hat Hybrid Cloud Console JavaScript ecosystem and have nearly 10 million collective downloads.
According to Aikido, the attackers likely compromised the CI/CD pipeline and used the GitHub Actions OIDC to publish the malicious package versions. ReversingLabs believes that the hackers had access to @redhat-cloud-services NPM scope credentials.
The packages contained a preinstall hook that led to the execution of malware during NPM install, before the package is imported or used.
The payload contains the string “Miasma: The Spreading Blight” and appears to be a variant of the Mini Shai-Hulud worm that TeamPCP used in several attacks against the open source software community over the past months.
The hacking group released the malware’s source code last month, inviting miscreants to use it in supply chain attacks as part of a challenge.
According to Ox Security, the threat actor behind the Red Hat compromise infected a repository on May 29, likely to test its capabilities.
The malware was designed to harvest “GitHub Actions secrets, npm tokens, cloud credentials, Kubernetes and Vault material, SSH keys, Git credentials, and other sensitive files,” Socket reports.
Like Mini Shai-Hulud, it exfiltrates the collected data to an attacker-controlled server and uses a GitHub-based fallback mechanism, publishing the stolen information to newly created public repositories.
While the full scope of infection is yet unknown, Ox identified 210 repositories containing stolen credentials, suggesting that at least as many developers were infected after downloading and installing the malicious Red Hat package versions.
The malware was also observed attempting to use stolen GitHub tokens to enumerate repositories. It contains a GitHub Actions workflow modification logic and can write malicious index.js payloads into repositories/actions.
Red Hat maintainers have published clean versions of all 32 affected packages, and the malicious iterations have been removed from NPM.
Users are advised to update to a clean release as soon as possible. Anyone who installed a malicious version should consider their system and build environment compromised and should immediately rotate credentials, tokens, API keys, and other sensitive information the malware might have accessed.
Developers are also advised to check transitive dependencies, as the packages are widely used as indirect libraries, and to monitor their environments for anomalous outbound connections.
Related: IBM and Red Hat Commit $5 Billion to Secure Open Source Supply Chains Under “Project Lightwell”
Related: ‘SymJack’ Attack Turns AI Coding Agents Into Supply Chain Attack Delivery Systems
Related: Over 5,500 GitHub Repositories Infected in ‘Megalodon’ Supply Chain Attack
Related: Grafana Says Codebase and Other Data Stolen via TanStack Supply Chain Attack
WRITTEN BY
Ionut Arghire
Ionut Arghire is an international correspondent for SecurityWeek.
More from Ionut Arghire
19-Year-Old Linux Kernel Vulnerability Exposes Systems to Root Access
Recent Palo Alto Networks Vulnerability Exploited for Weeks
Exploit Code Published for Critical Flowise RCE Vulnerability
Charter Communications Data Breach Could Impact Nearly 5 Million
MokN Raises $15 Million for Phish-Back Platform
Gogs Zero-Day Exposes Servers to Remote Code Execution
Chrome 148 Update Patches 151 Vulnerabilities
Geordie Raises $30 Million for AI Security and Governance Platform
Latest News
Oracle WebLogic Vulnerability Exploited in the Wild
Meta AI Hands Over High-Profile Instagram Accounts to Hackers
Dashlane Brute-Force Attack Leads to Limited Encrypted Vault Downloads
Oracle’s First Monthly Patches Resolve 77 Vulnerabilities
WP Maps Pro Vulnerability Exploited to Take Over WordPress Sites
Dutch Police Dismantle Massive 17-Million-Device Botnet
Critical Windows Netlogon Vulnerability in Attackers’ Crosshairs
Dragos Acquires xIoT Security Firm Phosphorus
Trending
Virtual Event: Threat Detection And Incident Response Summit
On-Demand
Delve into big-picture strategies to reduce attack surfaces, improve patch management, conduct post-incident forensics, and tools and tricks needed in a modern organization.
Register
Webinar: Third-Party Risk In Practice
June 4, 2026
Organizations are investing heavily in third-party risk management, but breaches, delays, and blind spots continue to persist. Join this live webinar as we examine the gap between how organizations think their third-party risk programs are performing and what’s actually happening in practice.
Register
People on the Move
Rapid7 announced that Wael Mohamed will assume the role of Chief Executive Officer, replacing current Chief Executive Officer Corey Thomas, who will become Executive Chairman of the Board.
Anurag Jain has been appointed Senior Vice President of Engineering at CodeHunter.
CTERA has appointed Tal Sarfaty as Senior Vice President of Cybersecurity.
More People On The Move
Expert Insights
Raising The Cybersecurity Stakes: Ante Up For The Agentic Era
CISOs are now facing machine-speed attacks and asking, “How do I agent?” The industry must provide remediation at scale. (Nadir Izrael)
Caught Off Guard: Securing AI After It Hits Production
As enterprises rush AI projects into production, security teams are increasingly being forced into reactive mode. (Joshua Goldfarb)
Cyber Resilience Is The New Business Continuity Plan
The organizations best prepared to face disruption are those that align security, continuity and risk management around what the business cannot afford to lose. (Steve Durbin)
Enhancing Data Center Security Without Sacrificing Performance
For AI data centers, where the stakes are the highest and performance constraints are the tightest, security and performance are no longer a zero-sum game. (Nadir Izrael)
Is The SOC Obsolete, And We Just Haven’t Admitted It Yet?
Many AI-first enterprises have already embraced sovereign architectures for general AI initiatives; cybersecurity—and the SOC—should be next. (Danelle Au)
Flipboard
Reddit
Whatsapp
Email