Red Hat npm packages compromised in supply-chain attack distributing Miasma malware
AI-generated from multiple sources. Verify before acting on this reporting.
Additional corroborating reports have emerged regarding the Red Hat npm package compromise. These new accounts confirm the scope of the Miasma malware distribution across the affected '@redhat-cloud-services' namespace. Security teams are now tracking further indicators of compromise linked to the initial breach. The incident continues to evolve as more details surface about the credential-stealing capabilities of the malicious code. Organizations utilizing the compromised packages are advised to review their environments for signs of unauthorized access. The attack remains active, with ongoing efforts to contain the spread of the malware variant. Red Hat has not yet issued a full remediation timeline, but affected users are urged to monitor for updates. The situation underscores the growing risk of supply-chain attacks targeting enterprise infrastructure. Further analysis is expected to reveal the full extent of the breach and potential data exfiltration. Security researchers are working to identify the threat actors responsible for the campaign.
More than 30 software packages under Red Hat's '@redhat-cloud-services' namespace were compromised in a supply-chain attack distributing a new variant of the Shai-Hulud credential-stealing malware dubbed 'Miasma.' The incident was detected on June 1, 2026, marking a significant escalation in cyber threats targeting enterprise infrastructure.
The attack leveraged compromised npm packages to distribute the malicious code, which is designed to steal developer credentials, cloud secrets, SSH keys, CI/CD tokens, and other sensitive information. Security researchers identified the malware as a new variant of the Shai-Hulud family, indicating a sophisticated operation aimed at infiltrating development environments and cloud infrastructure.
While the specific threat actor remains unidentified, attribution points toward TeamPCP or another group utilizing leaked source code from the original Mini Shai-Hulud malware. The use of leaked code suggests that the attackers may have gained access to previously stolen intellectual property, repurposing it for a new campaign. This method of operation highlights the evolving nature of cyber threats, where stolen tools are frequently recycled and modified for new attacks.
The compromised packages were hosted on the npm registry, a widely used platform for distributing JavaScript packages. The attack vector exploited the trust developers place in established repositories, allowing the malware to spread to systems that installed the affected packages. Red Hat, a major provider of open-source software solutions, has confirmed the breach and is working to mitigate the impact.
The Miasma malware operates by scanning for sensitive data within the infected environment, including API keys, authentication tokens, and other credentials stored in local files or environment variables. Once collected, the data is exfiltrated to command-and-control servers, where it can be used for further attacks or sold on dark web marketplaces. The malware's ability to target a wide range of credentials makes it particularly dangerous for organizations relying on cloud-based development tools.
Security experts warn that the attack underscores the risks associated with supply-chain vulnerabilities. As organizations increasingly rely on third-party software components, the potential for malicious code to infiltrate trusted systems grows. The incident has prompted calls for enhanced security measures, including more rigorous vetting of software packages and improved monitoring for suspicious activity.
Red Hat has advised users to update their systems immediately and to rotate any credentials that may have been exposed. The company is also collaborating with cybersecurity firms to investigate the full scope of the attack and to identify any additional compromised systems. The incident remains under investigation, with authorities seeking to determine the extent of the damage and the identity of the perpetrators.
The attack raises questions about the security of open-source ecosystems and the measures needed to protect them. As cyber threats continue to evolve, organizations must remain vigilant and proactive in safeguarding their digital assets. The incident serves as a stark reminder of the importance of robust security practices in an increasingly interconnected world.