HomeIntelligenceBrief
BREACH BRIEF🟠 High ThreatIntel

Supply Chain Attack Compromises 30+ Red Hat npm Packages, Steals Developer Credentials

Attackers hijacked a Red Hat employee’s GitHub account and published back‑doored npm packages that harvest cloud API keys, SSH keys, and CI/CD tokens. The incident underscores the risk of third‑party supply‑chain compromises for organizations that rely on open‑source tooling.

LiveThreat™ Intelligence · 📅 June 02, 2026· 📰 bleepingcomputer.com
🟠
Severity
High
TI
Type
ThreatIntel
🎯
Confidence
High
🏢
Affected
3 sector(s)
Actions
4 recommended
📰
Source
bleepingcomputer.com

Supply Chain Attack Compromises 30+ Red Hat npm Packages, Steals Developer Credentials

What Happened — Attackers hijacked a Red Hat employee’s GitHub account and used a malicious GitHub Actions workflow to publish back‑doored versions of more than 30 npm packages under the @redhat‑cloud‑services namespace. The packages contained a pre‑install script that executed the “Miasma” malware, harvesting cloud API keys, SSH keys, CI/CD tokens, and other developer secrets. Red Hat removed the packages after discovery and reports no impact to customer or production environments.

Why It Matters for TPRM

  • Supply‑chain compromise of a trusted vendor can expose your own development pipelines to credential theft.
  • Malicious npm packages can propagate quickly (≈117 k weekly downloads), increasing the attack surface for downstream organizations.
  • Lack of visibility into third‑party publishing controls highlights the need for continuous monitoring of open‑source dependencies.

Who Is Affected — Technology SaaS providers, cloud‑hosted development platforms, CI/CD service vendors, and any organization that consumes Red Hat npm packages or similar open‑source tooling.

Recommended Actions

  • Audit all dependencies for @redhat‑cloud‑services packages and replace or remove them immediately.
  • Enforce strict provenance checks (e.g., sigstore, npm package signing) for all third‑party libraries.
  • Rotate any credentials that may have been exposed (GitHub tokens, cloud API keys, SSH keys).
  • Review and tighten GitHub account and Actions permissions for your own supply‑chain processes.

Technical Notes — The compromise leveraged a stolen GitHub account to push malicious commits, adding a GitHub Actions workflow that used the id-token: write permission to obtain short‑lived OIDC tokens and publish back‑doored packages via npm’s trusted publishing endpoint. The malicious preinstall script executed a 4.2 MB obfuscated index.js payload that scraped GitHub Actions secrets, AWS, GCP, Azure credentials, HashiCorp Vault tokens, Kubernetes service‑account tokens, npm/PyPI publishing tokens, SSH keys, Docker credentials, GPG keys, and .env files. Source: BleepingComputer

📰 Original Source
https://www.bleepingcomputer.com/news/security/red-hat-npm-packages-compromised-to-steal-developer-credentials/

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · Vendor Risk Hub

This is the scenario continuous vendor monitoring is built to catch.

When a vendor is compromised, your SOC 2 vendor-management controls are what produce the audit trail showing you knew, assessed, and acted. The Verisq AI Trust Operations platform tracks that continuously.

Explore the Verisq AI Trust Operations platform →