[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fPee2OOf3-HlfEZMnP7IlwUFq1eUa9zYqSqSrJ3jFQec":3},{"article":4,"iocs":59},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":33,"category":34,"article_tags":38},"219a041d-8c26-4c6f-bf95-8196c29d11d5","Miasma Malware Hits 32 Red Hat Packages via Compromised GitHub Account","miasma-malware-hits-32-red-hat-packages-via-compromised-github-account-b7d159","32 Red Hat npm packages compromised by Miasma malware expose cloud tokens, CI\u002FCD secrets and developer credentials in supply chain attack.","On June 1, 2026, researchers discovered that 32 Red Hat npm packages under @redhat-cloud-services were compromised after attackers gained access to a Red Hat employee's GitHub account and injected malicious code. The Miasma malware—a self-propagating worm variant based on the Mini Shai-Hulud framework—steals cloud tokens, SSH keys, and developer credentials; it also self-replicates by targeting other packages the infected developer can access. The attack affected 96 package versions downloaded 80,000–117,000 times weekly and leveraged valid SLSA provenance attestations to evade security scanners.","32 Red Hat npm packages compromised via stolen GitHub account; Miasma malware steals credentials and CI\u002FCD tokens.","Data Breaches Malware SecurityMiasma Malware Hits 32 Red Hat Packages via Compromised GitHub Account 32 Red Hat npm packages compromised by Miasma malware expose cloud tokens, CI\u002FCD secrets and developer credentials in supply chain attack. byDeeba AhmedJune 5, 20262 minute read On 1 June 2026, experts from multiple cybersecurity firms found a major supply chain compromise affecting software components used by Red Hat. Security firms Microsoft, Wiz Research, Snyk, and Aikido reported that hackers sneaked harmful code into software packages under the @redhat-cloud-services name on npm, which is a public library where developers get building blocks for their code. The issue impacted at least 32 packages, leading to 96 compromised versions, which help run the Red Hat Hybrid Cloud Console and are downloaded around 80,000 to 117,000 times every week. Given the modules’ wide integration, the impact radius extends beyond Red Hat’s infrastructure to external development pipelines. How the Infrastructure Was Exploited The hackers didn’t guess passwords or use typosquatted webpages. Instead, they got into the personal GitHub account of a real Red Hat worker. They used this account to push hidden code changes (malicious orphan commits) directly into two RedHatInsights repositories without anyone reviewing the code. As shown in the image from Wiz, these changes happened across two waves of activity. The unauthorized commits introduced a minimal GitHub Actions workflow that requested short-lived OIDC identity tokens from GitHub. The system used these tokens to authenticate directly with npm’s trusted publishing endpoint to upload the backdoored packages. Because the code came from a legitimate Red Hat setup, the compromised versions shipped with valid SLSA provenance attestations, making them appear authentic to security scanners. The two waves of activity (source: Wiz Research) The Miasma Malware Researchers have named this specific malware variant Miasma. It operates as a self-propagating worm and credential stealer based on Mini Shai-Hulud, an open-source malware framework published on BreachForums by the threat group TeamPCP earlier in 2026. This new version replaces old space themes with Greek mythology words like Spartan. When a developer installs one of these broken packages, a hidden preinstall script triggers automatically before any normal code runs. It immediately hunts for sensitive data on the computer. This includes cloud login keys for Google Cloud, Microsoft Azure, and Amazon Web Services, as well as SSH keys, password data, and keys for AI tools like Claude and Gemini. Additionally, the worm queries the npm registry for other packages the infected identity has rights to modify. It then automatically republishes those packages with the same malicious payload, turning a single compromised workstation into a vector to infect more registries. (Source: Microsoft) Registry administrators revoked most of the malicious versions within hours of disclosure, but the supply chain investigation continues. Security teams are advised to check their lockfiles, block install scripts using the ignore-scripts configuration, and immediately rotate any cloud credentials or tokens accessible from affected build environments. Reports from all respective companies are available here: Microsoft, Wiz Research, Snyk, and Aikido. Deeba Ahmed Deeba is a veteran cybersecurity reporter at Hackread.com with over a decade of experience covering cybercrime, vulnerabilities, and security events. Her expertise and in-depth analysis make her a key contributor to the platform’s trusted coverage. View Posts Cyber AttackCybersecurityGitHubMalwareMiasmaNPMRed HatVulnerability Leave a Reply Cancel reply View Comments (0) Related Posts Cyber Attacks Malware A Hacker’s Paradise: Top 20 Cities with Most Malware Infections You read about Malware every day but do you know which cities in the US have most malware… byAli Raza Malware Security Social Media Technology Beware: Porn-based malware Infects 110K Facebook Users Facebook appears to be infected with a porn-based malware that has affected about 110,000 Facebook users in just… byPushpa Mishra Security Newly discovered Sudo bug lets unauthorized users gain root access The Sudo bug allows a lower-level user to claim root-level access despite not having the required configuration. byWaqas Read More Security Malware 8 Malicious NPM Packages Stole Chrome User Data on Windows JFrog researchers found eight malicious NPM packages using 70 layers of obfuscation to steal data from Chrome browser… byDeeba Ahmed","https:\u002F\u002Fhackread.com\u002Fmiasma-malware-red-hat-packages-github-account\u002F","https:\u002F\u002Fhackread.com\u002Fwp-content\u002Fuploads\u002F2026\u002F06\u002Fmiasma-malware-red-hat-packages-github-account.jpg","2026-06-05T19:14:40+00:00","2026-06-05T20:00:08.005349+00:00",9,[18,21,24,27,30],{"name":19,"type":20},"Red Hat","vendor",{"name":22,"type":23},"Red Hat Hybrid Cloud Console","product",{"name":25,"type":26},"npm","technology",{"name":28,"type":29},"TeamPCP","threat_actor",{"name":31,"type":32},"Miasma","campaign","26b0b636-0e31-4db1-bffb-61bdf9f20a58",{"id":33,"icon":35,"name":36,"slug":37},null,"Supply Chain","supply-chain",[39,44,49,54],{"category":40},{"id":41,"icon":35,"name":42,"slug":43},"2e06f76c-d5b9-4f54-9eef-4d3447b10730","Breaches","breaches",{"category":45},{"id":46,"icon":35,"name":47,"slug":48},"89f78b1c-3503-45a1-9fc7-e23d2ce1c6d5","Malware","malware",{"category":50},{"id":51,"icon":35,"name":52,"slug":53},"ade75414-7914-4e23-a450-48b64546ee70","Open Source","open-source",{"category":55},{"id":56,"icon":35,"name":57,"slug":58},"e7b231c8-5f79-4465-8d38-1ef13aea5a14","Threat Intelligence","threat-intelligence",[60,62],{"type":48,"value":31,"context":61},"Self-propagating credential-stealing worm variant based on Mini Shai-Hulud; deployed via compromised Red Hat npm packages.",{"type":48,"value":63,"context":64},"Mini Shai-Hulud","Open-source malware framework published by TeamPCP on BreachForums; basis for Miasma variant."]