A supply-chain attack compromised over 30 npm packages in Red Hat's '@redhat-cloud-services' namespace by injecting a new variant of the Shai-Hulud malware named "Miasma." Attackers gained access to a Red Hat employee's GitHub account, pushed malicious commits that added a GitHub Actions workflow and scripts to publish backdoored package versions. These packages contained a preinstall script executing a heavily obfuscated payload that steals a wide range of credentials and secrets, including GitHub Actions secrets, cloud provider credentials, SSH keys, and tokens. Red Hat removed the compromised packages after discovery and confirmed the compromise was limited to internal development tooling with no detected impact on customer environments or production systems. The malware shares similarities with the Mini Shai-Hulud framework but includes enhanced obfuscation and data theft capabilities. At the time of reporting, 32 packages and 96 versions were affected, with approximately 117,000 weekly downloads.

The malware steals sensitive developer credentials and secrets such as cloud provider credentials, SSH keys, CI/CD tokens, and other authentication tokens, potentially enabling attackers to access and compromise developer environments and cloud resources. However, Red Hat confirmed no impact on customer or partner environments or production systems. The compromised packages were limited to internal development tooling and have been removed from the npm registry. Organizations that installed affected package versions risk credential exposure and should assume compromise of secrets used on infected devices.

Red Hat has removed the affected packages from the npm registry and is investigating the incident. The compromise was limited to internal development tooling, and no impact to customer or production systems has been identified. Organizations that installed any affected package versions should immediately rotate all credentials, secrets, and tokens used on the infected devices. Users should monitor Red Hat's official advisories for updates and remediation guidance. Patch status is not yet confirmed; consult vendor advisories for current remediation information.