Compromised @redhat-Cloud-Services Npm Packages Distribute Credential-Stealing Worm
Several packages within the @redhat-cloud-services npm scope were found to contain malicious payloads and according to StepSecurity, they execute through a preinstall hook during npm installation, before any application code runs[1].
The payload is described as a multi-stage credential harvester targeting sensitive material including GitHub Actions secrets, AWS, GCP, Azure, Kubernetes, HashiCorp Vault, npm, and CircleCI credentials. What has also been noted is that the malicious code is heavily obfuscated and significantly larger than expected, approximately 4.2 MB, suggesting attempts to hinder analysis and detection.
Aikido attributes the activity to a credential-stealing worm named “Miasma,” described as a variant of the Mini Shai-Hulud malware framework. According to Aikido, 96 malicious versions across 32 packages were published, with a combined weekly download count of approximately 116,991 at the time of discovery[2].
The malware exhibits self-propagating behavior by leveraging stolen npm tokens and the bypass_2fa parameter to republish backdoored versions of other packages, enabling infected environments to spread the attack further without additional attacker interaction[1].
The affected packages seems to have been published via GitHub Actions OIDC from the RedHatInsights/javascript-clients repository, indicating compromise of the upstream CI/CD publishing workflow. Aikido further explains that the publishing mechanism leveraged GitHub Actions OIDC to authenticate and publish malicious package versions, rather than relying solely on stolen npm tokens.
The malware campaign seems to be linked to the broader Mini Shai-Hulud supply chain attacks observed in 2026, where similar techniques were used to compromise other npm and software ecosystems[2].
Affected Products
@redhat-cloud-services/chrome (2.3.1, 2.3.2)
@redhat-cloud-services/compliance-client (4.0.3, 4.0.4)
@redhat-cloud-services/config-manager-client (5.0.4, 5.0.5)
@redhat-cloud-services/entitlements-client (4.0.11, 4.0.12)
@redhat-cloud-services/eslint-config-redhat-cloud-services (3.2.1, 3.2.2)
@redhat-cloud-services/frontend-components (7.7.2, 7.7.3)
@redhat-cloud-services/frontend-components-advisor-components (3.8.2)
@redhat-cloud-services/frontend-components-config (6.11.3, 6.11.4)
@redhat-cloud-services/frontend-components-config-utilities (4.11.2, 4.11.3)
@redhat-cloud-services/frontend-components-notifications (6.9.2, 6.9.3)
@redhat-cloud-services/frontend-components-remediations (4.9.2, 4.9.3)
@redhat-cloud-services/frontend-components-testing (1.2.1, 1.2.2)
@redhat-cloud-services/frontend-components-translations (4.4.1, 4.4.2)
@redhat-cloud-services/frontend-components-utilities (7.4.1, 7.4.2)
@redhat-cloud-services/hcc-feo-mcp (0.3.1, 0.3.2)
@redhat-cloud-services/hcc-kessel-mcp (0.3.1, 0.3.2)
@redhat-cloud-services/hcc-pf-mcp (0.6.1, 0.6.2)
@redhat-cloud-services/host-inventory-client (5.0.3, 5.0.4)
@redhat-cloud-services/insights-client (4.0.4, 4.0.5)
@redhat-cloud-services/integrations-client (6.0.4, 6.0.5)
@redhat-cloud-services/javascript-clients-shared (2.0.8, 2.0.9)
@redhat-cloud-services/notifications-client (6.1.4, 6.1.5)
@redhat-cloud-services/patch-client (4.0.4, 4.0.5)
@redhat-cloud-services/quickstarts-client (4.0.11, 4.0.12)
@redhat-cloud-services/rbac-client (9.0.3, 9.0.4)
@redhat-cloud-services/remediations-client (4.0.4, 4.0.5)
@redhat-cloud-services/rule-components (4.7.2, 4.7.3)
@redhat-cloud-services/sources-client (3.0.10, 3.0.11)
@redhat-cloud-services/topological-inventory-client (3.0.10, 3.0.11)
@redhat-cloud-services/tsc-transform-imports (1.2.2)
@redhat-cloud-services/types (3.6.1, 3.6.2, 3.6.4)
@redhat-cloud-services/vulnerabilities-client (2.1.8, 2.1.9)
Recommended Actions
Truesec recommends that organizations takes the following actions if any of the compromised packages have been installed:
- Rotate all potentially exposed credentials, including:
— CI/CD secrets
— Cloud credentials
— SSH keys
— npm tokens
- Identify and remove compromised package versions from dependencies
- Audit developer systems and CI/CD pipelines for signs of compromise
- Monitor for unauthorized changes to repositories or package publishing activity
- It is recommended that you disable “postinstall” to reduce the risks of being exploited by a malware similar to this one.
- Lastly, Truesec recommends implementing NPM Package Cooldown Check. This is an automated verification step that runs on each pull request. Its job is to detect any npm dependency introduced or updated in the PR that was published within the last 2 days (48 hours) and fail the PR if such a dependency is found[3].
If you require assistance in implementing these principles and best practices or tailoring them to your specific environment, please do not hesitate to contact Truesec for expert support.
For further reading on the subject, see “Npm Supply-Chain Attacks: How to Reduce Risk”.
References
[1] https://www.stepsecurity.io/blog/multiple-redhat-cloud-services-npm-packages-compromised
[2] https://www.aikido.dev/blog/red-hat-npm-packages-compromised-credential-stealing-worm
[3] https://www.stepsecurity.io/blog/introducing-the-npm-package-cooldown-check
Stay ahead with cyber insights
Newsletter
Stay ahead in cybersecurity! Sign up for Truesec’s newsletter to receive the latest insights, expert tips, and industry news directly to your inbox. Join our community of professionals and stay informed about emerging threats, best practices, and exclusive updates from Truesec.
Your current browser privacy settings may be preventing this form from loading properly. To continue, please allow cookies/tracking for this site or temporarily disable strict privacy protection, then refresh the page.
If you’re still experiencing issues, please contact us at hello@truesec.com
