Red Hat npm packages backdoored to steal developer credentials

More than 30 npm packages under Red Hat’s @redhat-cloud-services namespace were compromised in a supply-chain attack that distributed a new Shai-Hulud variant called “Miasma,” designed to steal developer credentials, cloud secrets, SSH keys, CI/CD tokens, and

For developers, the warning arrives in a familiar place—right where daily work depends on trust: npm.

Security firms Aikido and OX Security found that more than 30 npm packages under Red Hat’s @redhat-cloud-services namespace had been compromised. The backdoored packages distributed a new variant of the Shai-Hulud credential-stealing malware, dubbed “Miasma.”

Aikido and OX Security reported that dozens of package versions were tampered with to steal developer credentials and sensitive access data. The compromised packages targeted everything from cloud secrets and SSH keys to CI/CD tokens and other high-value information.

Aikido said the compromised packages receive roughly 117,000 weekly downloads—an indicator of how many installs could have exposed developers and automation systems to something they never meant to pull.

Red Hat says it removed the packages after learning of the incident, and that the compromise was limited to internal development tooling.

In a statement shared with BleepingComputer, Red Hat said: “Red Hat is aware of security reports regarding certain npm packages within our development tooling ecosystem. We immediately initiated an investigation and removed the packages from the npm registry.”

Red Hat added that the packages are “strictly limited to internal development. ” and that “the malicious code was never published for customer consumption via the console.redhat.com system.” The company also said that. while its investigation is ongoing. it has not identified any impact to customer or partner environments or Red Hat production systems.

Red Hat is continuing to investigate, but did not answer questions about how the account used to push the malicious code was compromised.

The breach path, as Aikido describes it, points to GitHub as the initial lever.

Aikido said attackers allegedly compromised a Red Hat employee’s GitHub account and used it to push malicious commits directly to multiple repositories. Those commits added a GitHub Actions workflow and a script that abused npm’s publishing mechanism to release backdoored packages.

When the workflow runs. Aikido explained. it installs Bun and executes _index.js. passing it a list of target packages via the OIDC_PACKAGES environment variable. The script then uses the id-token: write permission to request a short-lived OIDC token from GitHub. With that token. it authenticates directly with npm’s trusted publishing endpoint and publishes backdoored versions of every package in the list.

The payload’s behavior is what makes this kind of incident so dangerous. The backdoored packages contained a malicious preinstall script that automatically executed a heavily obfuscated malicious index.js file when developers installed the packages.

Aikido reported that the payload in index.js was approximately 4.2 MB in size. Its targets were broad: it was used to steal GitHub Actions secrets. AWS credentials. Google Cloud credentials. Azure service principal credentials. HashiCorp Vault tokens. Kubernetes service account tokens. npm and PyPI publishing tokens. SSH keys. Docker credentials. GPG keys. and .env files.

Across the scope of the compromise, Aikido said 32 packages and 96 package versions were affected. The affected packages included numerous client libraries maintained under the @redhat-cloud-services namespace.

Aikido advised that organizations which installed any affected versions should rotate all credentials, secrets, and tokens used by code on the infected device immediately.

The malware itself is part of a growing series of credential-stealing operations built around Shai-Hulud. Over the past couple of months. there have been numerous supply chain attacks using Shai-Hulud malware to steal credentials and spread to other projects. Those attacks have impacted well-known projects including Bitwarden, SAP, Mistral, TanStack, OpenAI, and GitHub.

In May, the TeamPCP threat group publicly released the source code for its Mini Shai-Hulud malware framework, making the malware available to other threat actors.

Researchers say the malware used in the Red Hat compromise shares many similarities with Mini Shai-Hulud, but now uses the “Miasma: The Spreading Blight” string as comments in compromised GitHub repositories.

OX Security said the malware retains the same credential-stealing functionality as Mini Shai-Hulud but adds additional obfuscation layers, multi-stage payload delivery mechanisms, and enhanced data theft and credential-harvesting features.

As of the time of this writing, OX Security said 309 GitHub repositories have been compromised by the Miasma malware campaign.

Even with the technical details now coming into focus, one question remains unresolved: whether this was carried out by TeamPCP or by another threat actor that modified the leaked malware source code.

For Red Hat users, the practical answer is immediate. The compromised packages have been removed from the npm registry, but the blast radius of such attacks doesn’t end with removal—because the real damage is what may already have been taken from machines that installed the backdoored versions.

Red Hat npm supply-chain attack @redhat-cloud-services Miasma Shai-Hulud Aikido OX Security credential theft GitHub Actions trusted publishing OIDC CI/CD tokens