Skip to content
hacker_posts

Red Hat npm packages backdoored: Miasma worm hits @redhat-cloud-services

Red Hat security bulletin RHSB-2026-006 confirms 32 @redhat-cloud-services npm packages were trojaned on June 1, 2026 with a self-spreading credential-stealing worm derived from Shai-Hulud.

Published 5 min read
supply-chainnpmredhatadvisory

Red Hat confirmed on June 2, 2026 via security bulletin RHSB-2026-006 that 32 npm packages published under the @redhat-cloud-services namespace were trojaned the previous day. 96 malicious versions in total were pushed in three publication waves across roughly four hours; the combined namespace pulls 116,991 weekly downloads, per Red Hat's count. The malware is a self-spreading credential-stealing worm that runs from a preinstall script and that researchers have named Miasma.

Discovery is credited to Wiz Research, who reported the unauthorized modifications to Red Hat on June 1. Microsoft Threat Intelligence followed on June 2 with a campaign breakdown and a separate cluster ID. The packages are frontend libraries and API clients that power the Red Hat Hybrid Cloud Console — most users will not depend on them directly, but they are bundled into some Red Hat container images during product build.

Root cause — CI/CD, not a typosquat

Per Wiz, this was not a maintainer-account credential theft and not a typosquat. A Red Hat employee's GitHub account was compromised, the attacker injected malicious GitHub Actions workflows into three repositories inside the RedHatInsights GitHub organization, and the packages were then published to npm using the legitimate OIDC tokens those workflows are entitled to. From npm's side the publishes look genuine, signed by the real CI/CD pipeline — because they were.

Timeline (June 1, 2026, UTC)

Three publication waves, per Wiz:

  • 10:54 UTC — first wave
  • 13:45 UTC — second wave
  • 14:23 UTC — third wave

Red Hat engineering removed the compromised versions from npm after disclosure. The bulletin states no customer action is required for Red Hat products specifically; it does not absolve direct npm consumers of the @redhat-cloud-services packages.

What the worm does

The malicious preinstall script ships an obfuscated payload that runs the moment npm install resolves the package — before any application code executes, with no developer-visible prompt. Per Wiz and Microsoft, the payload:

  • Harvests local developer credentials, cloud provider tokens, and any .npmrc / .git-credentials material reachable from the install host.
  • Enumerates the victim's npm publish permissions and attempts to push trojaned versions of any package the victim controls — the worming behavior.
  • Exfiltrates to attacker-controlled infrastructure.

Wiz attributes the payload lineage to (Mini) Shai-Hulud, the credential-stealing worm open-sourced by the TeamPCP group earlier in the year. The Miasma variant carries cosmetic edits — references to the Dune universe in Shai-Hulud were swapped for Greek mythology — but the core logic is substantially the same. This matters operationally: Shai-Hulud detections most teams already wrote in late 2025 will likely fire on Miasma with no changes.

Indicators of compromise

Red Hat's bulletin does not publish hashes in the body of RHSB-2026-006 at the time of writing; Microsoft and Wiz have not, at this point, published a public IOC block in a form that can be embedded verbatim here. Treat anything you copy from a third-party blog as unverified until Red Hat or Wiz publish a signed appendix. The cheapest detection that does not depend on hash-matching:

  • npm lockfile entries pinning any @redhat-cloud-services/* package to a version published on 2026-06-01 (between 10:54 and 14:23 UTC).
  • preinstall scripts in those package versions that fetch or exec outside the package's own tree.
  • Outbound network from CI runners or developer laptops to non-Red Hat destinations during npm install of these packages.

Action checklist

  1. Inventory. Search lockfiles, container build manifests, and CI caches for any @redhat-cloud-services/* dependency. The frontend-component framing means most direct consumers are dashboard / console builds — but transitive pulls are the failure mode you actually need to find.
  2. Pin to known-good. If you depend on these packages, pin to a version published before June 1, 2026 10:54 UTC, or to a version Red Hat republishes post-cleanup with explicit RHSB-2026-006 attestation. Do not blindly accept a "latest" tag until npm's history has been re-validated end-to-end.
  3. Rotate every credential reachable from a build host that ran npm install on June 1–2. AWS / Azure / GCP keys, npm publish tokens, GitHub PATs and OIDC trust relationships, HashiCorp Vault tokens, any .netrc or .git-credentials material. The worm specifically targets publish permissions, so treat npm tokens as priority one.
  4. Audit GitHub Actions OIDC trust anywhere your pipeline ingests these packages. The attack succeeded because a compromised employee account modified workflows that already had npm-publish entitlements; replicate the threat model on your own repos.
  5. Default CI to npm install --ignore-scripts where feasible. Lifecycle hooks are the install-time foothold. If your pipeline does not need them, close the door.
  6. Watch for the second-order wave. Miasma's worming behavior means any developer who installed a trojaned @redhat-cloud-services/* package and then published anything else may have published a trojaned version of that package. Look for unexpected versions of your own packages with preinstall scripts you did not author.

Context

This is the third install-time supply-chain campaign we have covered in the last two weeks. On May 22–23, the Laravel-Lang Composer compromise used the same shape against PHP. On May 28, Microsoft documented 14 typosquatted npm packages from a maintainer alias vpmdhaj that did the same on npm. The Red Hat compromise is the most consequential of the three: a household-name vendor, real packages with real downloads, published from the real CI/CD pipeline using real OIDC tokens. Detection that assumes "trust comes from the publisher identity" failed cleanly.

The Shai-Hulud lineage is the other thing to take seriously. Open-sourcing a worming credential stealer was always going to lower the bar; Miasma is what that looks like in practice — a cosmetic rename, a fresh distribution channel, and a real victim. Expect more variants by the end of the quarter.

Related stories