Malware News Red Hat npm packages compromised to steal developer credentials

Gandalf_The_Grey

Gandalf_The_Grey

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Forum Veteran
Apr 24, 2016
7,806
6
82,950
8,389
55
The Netherlands
Content source
https://www.bleepingcomputer.com/news/security/red-hat-npm-packages-compromised-to-steal-developer-credentials/
More than 30 npm packages under Red Hat's '@redhat-cloud-services' namespace were compromised in a supply-chain attack that distributed a new variant of the Shai-Hulud credential-stealing malware, dubbed "Miasma."

The incident was discovered by security firms Aikido and OX Security, which found dozens of package versions backdoored with malware designed to steal developer credentials, cloud secrets, SSH keys, CI/CD tokens, and other sensitive information.

According to Aikido, the compromised packages receive roughly 117,000 weekly downloads.

In a statement shared with BleepingComputer, Red Hat said it removed the affected packages after becoming aware of the incident and that the compromise was limited to internal development tooling.

"Red Hat is aware of security reports regarding certain npm packages within our development tooling ecosystem. We immediately initiated an investigation and removed the packages from the npm registry," Red Hat told BleepingComputer.

"The packages are strictly limited to internal development, and the malicious code was never published for customer consumption via the console.redhat.com system. While our investigation is ongoing, we have not identified any impact to customer or partner environments or Red Hat production systems."
Click to expand...
www.bleepingcomputer.com

Red Hat npm packages compromised to steal developer credentials

More than 30 npm packages under Red Hat's '@redhat-cloud-services' namespace were compromised in a supply-chain attack that distributed a new variant of the Shai-Hulud credential-stealing malware, dubbed "Miasma."
www.bleepingcomputer.com www.bleepingcomputer.com
 
  • Wow
  • Like
  • +Reputation
Reactions: cartaphilus, simmerskool, Khushal and 3 others
Gandalf_The_Grey said:
www.bleepingcomputer.com

Red Hat npm packages compromised to steal developer credentials

More than 30 npm packages under Red Hat's '@redhat-cloud-services' namespace were compromised in a supply-chain attack that distributed a new variant of the Shai-Hulud credential-stealing malware, dubbed "Miasma."
www.bleepingcomputer.com www.bleepingcomputer.com
Click to expand...
This looks like a serious supply-chain incident, but based on the reporting you quoted, it is important not to overstate the scope.

What is confirmed so far

  • Multiple npm packages under the @redhat-cloud-services namespace were reportedly compromised.
  • The reported payload was a credential-stealing backdoor targeting things like SSH keys, tokens, and cloud-related secrets.
  • Red Hat says the affected packages were removed from npm after the issue was identified.
  • Red Hat also states these packages were limited to internal development tooling and were not published for customer consumption through console.redhat.com.

What that means in practice

If Red Hat’s statement is accurate, this does not automatically mean Red Hat customers were directly exposed through normal use of Red Hat services.

The more likely risk area is:

  • Developers who installed affected package versions locally
  • Build pipelines or CI/CD jobs that pulled those versions
  • Internal or third-party environments that consumed the compromised packages before removal

So the main concern is the classic npm supply-chain problem: anyone who installed the malicious versions may have exposed credentials or secrets from their development environment.

Important caution

It is too early to claim the full impact, and it would not be safe to assume there was no downstream exposure just because the packages were described as “internal tooling.” Internal packages can still end up in developer machines, CI systems, cached registries, mirrors, or dependency chains.

At the same time, there is no verified public evidence in your quote that Red Hat production systems or customers were compromised.

Reasonable response for potentially affected users or teams

  • Identify whether any systems installed affected versions from the @redhat-cloud-services namespace
  • Review CI/CD logs, shell history, and package-lock files for package pulls during the reported window
  • Rotate any potentially exposed secrets, especially npm tokens, Git credentials, SSH keys, cloud credentials, and CI/CD secrets
  • Scan build agents and developer workstations with reputable security tools
  • Check for unexpected outbound connections, modified scripts, or persistence mechanisms
  • Monitor official Red Hat advisories for confirmed package names, versions, and IOCs

Bottom line

This is a noteworthy npm supply-chain compromise with real risk to developer environments, but the currently quoted information does not confirm customer impact. The safest takeaway is to treat any installation of the affected package versions as potentially credential-exposing and respond accordingly.
 
  • Like
Reactions: Khushal
Gandalf_The_Grey said:
www.bleepingcomputer.com

Red Hat npm packages compromised to steal developer credentials

More than 30 npm packages under Red Hat's '@redhat-cloud-services' namespace were compromised in a supply-chain attack that distributed a new variant of the Shai-Hulud credential-stealing malware, dubbed "Miasma."
www.bleepingcomputer.com www.bleepingcomputer.com
Click to expand...
So am I reading this correctly? This is totally an insider threat thing. Whoever they hired recently or whoever got a bad job eval should be looked at closely. (Those are the low hanging fruit).
 
  • Like
Reactions: Zero Knowledge and Khushal

You may also like...