Red Hat npm Packages Backdoored to Steal Dev Credentials

Over 30 npm packages under Red Hat's @redhat-cloud-services namespace were backdoored in a supply-chain attack that distributed a new credential-stealing malware called Miasma. Security firms Aikido and OX Security disclosed the incident, identifying 32 packages and 96 package versions carrying malicious payloads. The affected packages pull roughly 117,000 weekly downloads combined, meaning the Red Hat npm packages compromise had real reach before removal.

Red Hat confirmed it pulled the affected packages from the registry. The company says the packages were limited to internal development tooling and that no customer-facing systems or production environments were impacted.

How Attackers Gained Access Through GitHub

The attack started with a compromised Red Hat employee GitHub account. From there, the attackers pushed malicious commits directly into multiple repositories. Those commits introduced a GitHub Actions workflow that abused npm's OIDC trusted publishing mechanism.

The workflow used the id-token: write permission to request a short-lived OIDC token from GitHub, then authenticated directly with npm's publish endpoint. That let the attackers release backdoored versions of every targeted package without needing stored npm credentials. No password needed. Just a poisoned workflow and a hijacked account.

What the Miasma Malware Actually Does

Each backdoored package included a preinstall script pointing to an obfuscated index.js file approximately 4.2 MB in size. The moment a developer ran npm install, that script executed automatically.

The payload targeted a wide range of secrets stored on the host machine:

• AWS, Google Cloud, and Azure credentials
• GitHub Actions secrets and CI/CD tokens
• Kubernetes service account tokens
• npm and PyPI publishing tokens
• SSH keys, GPG keys, Docker credentials
• HashiCorp Vault tokens
• .env files

Miasma appears to be a variant of the Mini Shai-Hulud malware framework, source code for which was publicly leaked by the TeamPCP threat group in May 2026. OX Security notes that Miasma retains the same core credential-stealing logic but adds more obfuscation layers, multi-stage payload delivery, and expanded data harvesting. Whether TeamPCP ran this campaign or another actor modified the leaked code remains unclear. At time of writing, 309 GitHub repositories show signs of Miasma compromise.

Developer Impact: What's Actually at Risk

If your environment installed any of the affected @redhat-cloud-services package versions, you should assume every credential on that machine is compromised. That includes secrets in environment variables, files on disk, and anything accessible through your cloud provider's metadata API.

The Shai-Hulud family has already hit Bitwarden, SAP, Mistral, TanStack, and OpenAI in recent months. This is not a targeted, surgical attack. The malware grabs everything it can find and exfiltrates it. The attack surface here includes not just the infected machine but any downstream systems those credentials touch.

How to Respond and Protect Your Pipeline

If you pulled any affected versions, rotate everything immediately. That means cloud IAM credentials, SSH keys, Docker registry tokens, npm tokens, and any secrets stored in CI/CD environment variables.

Beyond incident response, several steps reduce exposure going forward:

• Audit preinstall and postinstall scripts in your package.json dependencies before running installs. Tools like npm audit and socket.dev flag suspicious scripts.
• Pin exact package versions in lockfiles and verify checksums. Do not rely on version ranges for production installs.
• Restrict id-token: write permissions in GitHub Actions workflows to only jobs that genuinely need OIDC publishing.
• Monitor for unexpected outbound connections from your build environments.
• Run a free automated scan of your web-facing infrastructure to check for other exposed attack surfaces in your stack.

The OIDC trusted publishing model is convenient, but this attack shows it becomes a liability the moment someone gains write access to a repository. Least-privilege on GitHub Actions permissions is not optional hygiene anymore.

Can I tell if I installed a compromised package version? Check your package-lock.json or yarn.lock for any @redhat-cloud-services packages installed between late May and early June 2026. Cross-reference against the Aikido advisory for the full list of affected versions.

Should I rotate credentials even if I only installed the package in a dev environment? Yes. Dev machines often have the same cloud credentials and SSH keys as CI systems. The malware targets .env files and credential stores regardless of environment context.

How did the attackers abuse GitHub OIDC without stored npm tokens? GitHub's OIDC trusted publishing lets a workflow request a short-lived token scoped to npm publishing. If a workflow has id-token: write and an attacker controls the workflow file, they can publish to npm as the registered package owner without ever knowing a password or API key.

Your dependencies are only as safe as the accounts maintaining them. Run a full scan of your attack surface at VibeWShield.