• Home
  • About
  • Locations
logologologologo
  • Plan
    • vCISO
    • Policies & Procedures
    • Strategy & Security Program Creation
    • Risk Management
  • Attack
    • Penetration Testing
    • PTaaS
    • Red Teaming
    • Web Application Penetration Testing
    • Mobile Application Penetration Testing
    • IOT Penetration Testing
  • Defend
    • Office 365 Security
    • HIPAA Compliance
    • PCI Compliance
    • Code Reviews
    • Blockchain Security Analysis
    • Vulnerability Assessments
  • Recover
    • Ransomware Recovery
    • Expert Witness
    • Forensics
  • Learn
    • Resources
    • Penetration Testing Training
    • Blog
  • Contact Us
  • Instant Quote
✕

Red Hat Supply Chain Compromise Infects npm Packages

June 3, 2026

Meta Description

Attackers compromised Red Hat npm packages, stealing GitHub tokens, cloud credentials, SSH keys, and CI/CD secrets from developers worldwide.

Introduction

A significant Red Hat supply chain compromise has impacted dozens of npm packages, putting developers and enterprise infrastructure at risk. The malware, identified as the Miasma worm, steals credentials from cloud platforms, CI/CD pipelines, and developer systems. This attack demonstrates how software supply chains have become prime targets for cybercriminals.

Developers installing affected packages faced a hidden threat. Malicious preinstall hooks executed automatically, capturing GitHub tokens, SSH keys, npm credentials, and other sensitive data. Consequently, trusted open source ecosystems no longer guarantee security.

What Happened

Security researchers discovered over 30 npm packages under Red Hat's official namespace were backdoored. These packages executed malicious code during installation and targeted developer secrets along with cloud credentials.

Some of the compromised packages included:

• @redhat-cloud-services/vulnerabilities-client
• @redhat-cloud-services/rbac-client
• @redhat-cloud-services/remediations-client
• @redhat-cloud-services/sources-client

Red Hat promptly removed the affected packages. Investigators believe the attack started with compromised Red Hat credentials rather than flaws in npm itself.

Technical Analysis

The Red Hat supply chain compromise relied on malicious preinstall hooks in npm packages. These hooks ran automatically during installation. Attackers used obfuscation techniques to evade detection by security tools.

Once active, the malware harvested:

• AWS, Azure, and Google Cloud credentials
• GitHub and GitLab tokens
• SSH private keys
• npm authentication tokens
• Kubernetes secrets
• Vault secrets

Data collected by the malware was encrypted before exfiltration. Moreover, the worm attempted to propagate by compromising additional repositories.

Attack Chain

  1. Developer installs compromised npm package
  2. Preinstall hook executes automatically
  3. Local credential harvesting occurs
  4. Cloud secrets are collected
  5. GitHub tokens are stolen
  6. CI/CD secrets are extracted
  7. Data is encrypted and sent to attackers
  8. Access to additional repositories is obtained
  9. Malicious packages are injected into other projects

This sequence highlights the speed and impact of modern supply chain attacks.

Threat Actor Tactics

Attackers behind this supply chain compromise used:

• Package poisoning
• Credential theft
• Secret harvesting
• CI/CD targeting
• Cloud credential abuse
• Repository compromise
• Worm propagation

These tactics align with recent trends in supply chain cyberattacks.

Why This Issue Matters

The compromise exposes multiple risks:

• Enterprise risks: Theft of source code, CI/CD, and cloud credentials.
• Cloud security risks: Exfiltrated secrets allow access to cloud environments.
• DevSecOps risks: CI/CD pipelines and build systems are targeted, increasing downstream exposure.
• SMB risks: Small businesses may lack monitoring and secret management.
• Operational risks: Credential theft can lead to service disruption, compliance issues, and long-term espionage.

Potential Attack Scenarios

• CI/CD pipeline compromise using stolen GitHub tokens
• Cloud environment breach via harvested credentials
• Repository takeover for injecting malicious code
• Kubernetes cluster compromise through stolen secrets
• Malware propagation across downstream users

Detection and Monitoring Strategies

• Log npm package installations and lifecycle hook execution
• Audit cloud credentials and SSH key usage
• Inspect GitHub and CI/CD pipelines for anomalies
• Monitor EDR for suspicious process execution
• Conduct threat hunting for Miasma malware indicators

Mitigation Recommendations

• Remove affected npm packages immediately
• Rotate exposed credentials, SSH keys, and tokens
• Audit CI/CD secrets and access controls
• Enable software composition analysis and SBOM tracking
• Harden repository and package management security
• Deploy Zero Trust principles in development and cloud environments
• Conduct threat hunting and incident response exercises
• Validate package integrity continuously

Key Takeaway

The Red Hat supply chain compromise demonstrates the growing risk of software ecosystem attacks. Compromised npm packages containing the Miasma worm enabled attackers to steal developer credentials, cloud secrets, and CI/CD tokens. Organizations must secure supply chains, rotate credentials, and monitor developer environments to prevent similar attacks.

author avatar
social
See Full Bio
Share
Copyright © Digital Warfare. All rights reserved.
  • Home
  • About
  • Locations