Red Hat npm Packages Compromised

Red Hat npm Packages Compromised in Major Supply Chain Attack

Red Hat

Infected Red Hat npm packages expose developer credentials and secrets through sophisticated malware variant targeting trusted software ecosystem repositories.

Over 30 Red Hat Cloud Services npm packages infected with malware variant
Malware designed to steal developer credentials, tokens, and authentication secrets
Wiz researchers identify attack as Miasma, evolution of Shai-Hulud family
Attackers targeted trusted ecosystem averaging 80,000 weekly downloads collectively
Most infected packages already removed from npm registry following discovery

The npm ecosystem has recently been the target of a highly sophisticated supply chain attack that has involved the manipulation of multiple packages within the RedHat-cloud-services npm packages and the namespace with compromised Red Hat Cloud Services packages by threat actors. The attack is being tracked by researchers from Wiz as "Miasma", and it represents the latest episode of the Shai-Hulud family of malware, which has previously been used to deploy self-propagating malware within software repositories to obtain sensitive information about developers. Analysis by Wiz security researchers determined that the malware belonged to the Mini Shai-Hulud family, a credential-stealing threat that has repeatedly appeared in npm ecosystem attacks throughout 2026. The malware payload appears to be derived from code originally open-sourced by TeamPCP, though the attackers made notable modifications to disguise its origins. Rather than retaining references to the Dune universe—a distinctive characteristic of the original malware—the new variant replaced these themes with Greek mythology references, specifically adopting a "spartan" branding.

The changes that were observed had mostly to do with how visually appealing they looked i.e. by replacing all mentions of Dune and the Dune Universe with references to Greek Mythology, while the underlying functionality and tradecraft remained correspondingly unchanged, Wiz documented these modifications as per the analysis they conducted. The version of Malware that was identified referenced Miasma: The Spreading Blight (Miasma was the Project Name of the Attack Campaign) as the repositories being created.

The scope of this compromise could easily have been much worse according to security experts. A vast majority of the packages thought to be affected were subsequently removed from the NPM Registry providing limited opportunity to install the malicious code because they were flagged almost immediately. Also because of the fast action taken by the NPM Maintainers and RED HAT once they knew that the compromise occurred provided for immediate remediation of the situation prior to mass adoption of what they were delivering occurred. This event highlights that vulnerability continues to exist through the supply chain of software for those software vendors that you may trust and namespaces where these types of Vendor will be a target (by advanced threat actors). Developers should ensure that they have conducted audits on their package dependencies and have verified the integrity of each package installed and to have rotated any credentials that may be at risk either during the timeframe of the attack.

Business Honor is of the view that the Red Hat npm packages compromise represents a critical vulnerability in software supply chain security and developer trust.