Malicious npm Packages Hit Red Hat Scope and Broader Dependency Confusion Campaign
More than 31 packages published under the @redhat-cloud-services npm scope were found carrying a multi-stage credential-stealing payload that executed automatically during installation through preinstall hooks. Researchers said the malware targeted GitHub and npm tokens, AWS, GCP, and Azure credentials, Kubernetes and HashiCorp Vault secrets, CircleCI data, and local environment details, with one analyzed package — @redhat-cloud-services/host-inventory-client@5.0.3 — containing a 4.2 MB obfuscated harvester. The malicious releases were reportedly published via GitHub Actions OIDC from the RedHatInsights/javascript-clients repository, pointing to either compromise of the upstream CI/CD pipeline or abuse of its trust configuration; the affected packages collectively had roughly 116,000 weekly downloads.
The incident emerged alongside a separate active npm dependency-confusion campaign identified by Microsoft, in which a single actor used spoofed organizational namespaces, inflated versions such as 100.100.100, and obfuscated postinstall.js code to force installation of malicious packages in corporate developer environments. Microsoft said the payload currently focused on reconnaissance but could be switched remotely to steal credentials, exfiltrate data, or deploy a backdoor, and linked the activity to shared infrastructure and the domain oob.moika.tech. Registry teams removed the malicious packages, while defenders were urged to rotate exposed keys, enable 2FA, audit lockfiles, downgrade to safe package versions, and consider disabling install scripts during npm package installation.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
13 events from the most recent confirmed update back to the earliest known activity.
Researchers report Shai-Hulud campaign remains active with new GitHub-linked tradecraft
On June 2, 2026, OX Security reported that the Shai-Hulud/Miasma npm malware campaign was still active and using a sophisticated six-stage infection chain with GitHub-based exfiltration, command-and-control, and payload delivery. The researchers also assessed the activity may involve a different threat actor than the one behind the Telnyx and LiteLLM compromises and identified another potentially malicious GitHub user continuing the operation.
Red Hat discloses 32 affected packages and weekly download volume
Red Hat said the software pipeline compromise affected 32 packages that were downloaded about 117,000 times per week before removal. The company also said that, based on current findings, customers do not need to take action.
Wiz says two malicious Red Hat npm package versions remained available
Wiz reported on June 1, 2026 that although most malicious @redhat-cloud-services npm releases had been revoked, two malicious versions were still available at the time of writing. The finding indicated remediation was still incomplete despite broader package takedowns already underway.
Red Hat says affected npm packages were removed and customer environments unaffected
Red Hat stated that the compromised `@redhat-cloud-services` npm packages had been removed and said the affected packages were limited to internal development tooling. The company reported no identified impact to customer, partner, or production environments.
Researchers disclose expanded impact and malware details in Red Hat npm compromise
On 2026-06-01, reporting said more than 30 legitimate npm packages in the @redhat-cloud-services scope were backdoored in a supply-chain attack. The report described the payload as a Mini Shai-Hulud variant that stole a broad range of credentials, used disguised exfiltration and GitHub dead drops, established persistence on Linux and macOS, and could wipe a user’s home directory if stolen GitHub tokens were revoked.
StepSecurity and Aikido file disclosures in three RedHatInsights repositories
On 2026-06-01, StepSecurity and Aikido filed disclosure reports in three affected RedHatInsights repositories after detecting malicious @redhat-cloud-services npm releases. The disclosures expanded coordinated response beyond the previously noted issue in RedHatInsights/javascript-clients#492.
Disclosure issue filed for compromised Red Hat npm packages
A disclosure issue was filed as RedHatInsights/javascript-clients#492, and coordination with maintainers began to confirm the scope of the compromise and remove the malicious releases.
Researchers suggest compromised Red Hat GitHub account enabled malicious commits
On June 1, 2026, researchers reported evidence that a compromised Red Hat employee GitHub account may have been the initial access point in the npm supply-chain attack. The account was allegedly used to inject malicious orphan commits into RedHatInsights repositories and bypass code review before the backdoored packages were published.
Researchers trace Red Hat package compromise to CI/CD publishing path
Analysis of the compromised @redhat-cloud-services packages found the malicious releases were published via GitHub Actions OIDC from the RedHatInsights/javascript-clients repository, suggesting compromise or abuse of the upstream CI/CD trust path.
Malicious packages identified in @redhat-cloud-services scope
On June 1, 2026, researchers identified malicious npm packages in the @redhat-cloud-services scope, including a release that executed a preinstall hook to deploy a multi-stage credential harvester during npm installation.
Registry security teams remove malicious npm packages
Microsoft reported that registry security teams removed the malicious packages tied to the dependency confusion campaign after identifying the activity and linking the maintainer accounts to one operator.
Additional malicious npm packages published in same campaign
The same dependency confusion campaign continued on May 29, 2026, with more malicious npm packages published under lookalike organizational namespaces as part of the same operation.
Threat actor publishes malicious npm packages in dependency confusion campaign
Microsoft Threat Intelligence said a single threat actor published dozens of malicious npm packages through three maintainer accounts on May 28 and May 29, 2026, using spoofed internal package scopes and inflated version numbers to win dependency resolution in targeted corporate environments.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
35 references tracked. Mallory keeps watching after this page renders.
Red Hat Investigates npm Package Compromise After Malware Found in Official Repository - CySecurity News - Latest Information Security and Hacking Incidents
cysecurity.news
Open sourceMiasma Malware Hits 32 Red Hat Packages via Compromised GitHub Account
hackread.com
Open sourceRed Hat victime d'une attaque visant la chaîne d'approvisionnemen ...
zdnet.fr
Open sourcePreinstall to persistence: Inside the Red Hat npm Miasma credential-stealing campaign - Malware News - Malware Analysis, News and Indicators
malware.news
Open sourceRHSB-2026-006 Supply chain compromise of @redhat-cloud-services npm packages | Red Hat Customer Portal
access.redhat.com
Open sourcenpm Dependency Confusion Attack: New Malware Discovered
securityonline.info
Open source��������� �������� ����������� �� � 32 NPM-������ Red Hat
opennet.ru
Open source��������� �������� ����������� �� � 32 NPM-������ Red Hat
opennet.me
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
npm Supply-Chain Attacks Steal Developer Tokens and Enable Cloud Compromise
Threat actors are using **malicious npm packages** to steal developer credentials and CI/CD secrets, enabling rapid escalation into cloud environments. Google reported that **UNC6426** leveraged keys stolen during the earlier compromise of the *nx* npm ecosystem to pivot from a stolen developer GitHub token into **AWS administrative access within 72 hours**, abusing **GitHub-to-AWS OpenID Connect (OIDC) trust** to create a new admin role. The actor then used that access to **exfiltrate data from AWS S3** and conduct **destructive actions** in production cloud environments; the initial *nx* compromise involved a GitHub Actions `pull_request_target` workflow abuse (“**Pwn Request**”) that enabled publishing trojanized packages containing a `postinstall` chain that executed the **QUIETVAULT** JavaScript credential stealer and uploaded stolen data to a public GitHub repo (`/s1ngularity-repository-1`). Separately, researchers reported new waves of the **PhantomRaven** npm supply-chain campaign distributing **88 additional malicious packages** (via ~50 disposable accounts) that target JavaScript developers by exfiltrating secrets from files like `.gitconfig` and `.npmrc`, environment variables, and CI/CD tokens (e.g., GitHub/GitLab/Jenkins/CircleCI). The campaign uses **slopsquatting** (LLM-suggested lookalike package names) and a stealth technique called **Remote Dynamic Dependencies (RDD)**, where `package.json` pulls a dependency from an external URL so the malicious payload is fetched at install time (`npm install`) and can evade static package inspection; researchers indicated many of these packages remained available in the npm registry at the time of reporting.
Mar 21, 2026
Malicious npm Packages Stealing Developer Credentials Across Platforms
Security researchers have uncovered multiple campaigns involving malicious npm packages designed to steal developer credentials and sensitive information from Windows, macOS, and Linux systems. In one operation, ten typosquatted packages impersonated popular libraries such as TypeScript, discord.js, ethers.js, and others, using sophisticated obfuscation, fake CAPTCHA prompts, and postinstall hooks to deploy an information stealer that harvested credentials from system keyrings, browsers, and authentication services. The malware executed in a new terminal window to evade detection and sent stolen data, including IP addresses, to external servers. Another large-scale campaign, dubbed 'PhantomRaven,' involved 126 npm packages and over 86,000 downloads, targeting authentication tokens, CI/CD secrets, and GitHub credentials. These packages leveraged remote dynamic dependencies to fetch and execute payloads during installation, profiling infected devices and exfiltrating secrets for potential supply chain attacks. The attackers employed techniques such as slopsquatting, where AI-generated package recommendations led developers to install non-existent, malicious packages. Some packages impersonated tools from GitLab and Apache, and many remained available on npm at the time of reporting. The campaigns highlight the ongoing risks in the npm ecosystem, with attackers exploiting both user trust and platform weaknesses to compromise developer environments and CI/CD pipelines. Security experts warn that the theft of tokens and credentials could enable further attacks, including the introduction of malicious code into legitimate projects and broader supply chain compromises.
Mar 21, 2026
Mini Shai-Hulud Compromised Hundreds of npm Packages via Stolen Maintainer Tokens
Attackers linked by multiple researchers to **TeamPCP** hijacked the npm maintainer account `atool` and used it to publish roughly **639 malicious versions across 323 packages**, heavily impacting Alibaba’s **`@antv/*`** ecosystem as well as packages such as `echarts-for-react`, `timeago.js`, and `size-sensor`. Reports said the malware executed through malicious `preinstall` hooks and an obfuscated Bun-based payload, stealing secrets from developer workstations and CI/CD systems including GitHub, npm, AWS, Kubernetes, Vault, SSH, Docker, and database credentials. The campaign also abused GitHub tokens to create attacker-controlled repositories for exfiltration, scraped GitHub Actions runner memory for plaintext secrets, and in some cases targeted trusted tooling including a briefly compromised **Nx Console** VS Code extension. Researchers said the operation was worm-like and self-propagating, using stolen npm tokens to tamper with and republish additional packages under legitimate maintainer identities, with the broader **Mini Shai-Hulud** activity now tracked across npm, PyPI, and Composer. The malware reportedly established persistence in developer environments through modified VS Code and Claude Code settings and OS-level services, while some reports warned it also attempted to forge valid **Sigstore/SLSA provenance** using stolen CI identities. In response, **npm invalidated all write-enabled granular access tokens that bypassed two-factor authentication** and introduced **Staged Publishing** in preview, but researchers warned that any machine or pipeline that installed affected versions should be treated as fully compromised and all reachable credentials rotated immediately.
Jun 10, 2026