Red Hat NPM Packages Compromised by Credential-Stealing Worm
The breach of Red Hat's own npm publishing pipeline shows that even official, trusted package channels can be weaponized through compromised developer accounts and automated CI workflows, making supply chain attacks harder to detect.
Reporting from 1 sources: GIGAZINE.
Security firm Aikido reported that 32 packages under Red Hat's official npm channel were backdoored with a worm malware named Miasma, totaling 116,991 weekly downloads. The attack exploited a compromised employee GitHub account and GitHub Actions OIDC to publish malicious packages that steal cloud and CI credentials and attempt to spread to other repositories.
The attack chain began when an attacker compromised a Red Hat employee's GitHub account, then injected malicious isolated commits into multiple development repositories, bypassing code review. A malicious GitHub Actions configuration file was added that automatically executed package publishing, obtaining short-lived credentials from GitHub and registering backdoored packages through npm's official route. The malware, a 4.2 MB obfuscated JavaScript file, executed on npm install and searched for GitHub Actions secrets, AWS, Google Cloud, and Azure credentials, SSH private keys, npm and PyPI tokens, Docker credentials, and .env files. Stolen data was encrypted and exfiltrated, and the worm attempted to backdoor other accessible packages and repositories.
Red Hat said affected packages were limited to internal development use and not published to customers via console.redhat.com, with no confirmed impact on customer or partner environments. However, anyone who installed the packages should assume their development endpoints or CI/CD environments are compromised and immediately rotate CI secrets, cloud credentials, SSH keys, and npm tokens.
Synthesized by Yomimono from the 1 cited source below, including Japanese-language reporting where cited, then editorially reviewed before publishing.