Red Hat’s official npm namespace has been hijacked to push backdoored package versions built to steal cloud and developer credentials, in a fast-moving supply chain attack against widely used software.
According to new analysis by ReversingLabs, an attacker published malicious versions of 32 packages in the @redhat-cloud-services scope on June 1, all within 72 seconds.
The packages span Red Hat’s Hybrid Cloud Console ecosystem, from UI components and API clients to build tooling, and represent roughly 9.8 million downloads in total.
This was not typosquatting or a lookalike. The attacker seized control of a legitimate, trusted namespace and republished real packages with hidden malware, turning the trust developers place in a known vendor into the delivery method.
Malware Hidden in the Install Step
Each compromised package carried an obfuscated preinstall script that ran automatically during installation, before any application code executed. Exposure therefore depended on simply installing or building the package, not on using it in production.
Aikido Security said the payload is a variant of the Mini Shai-Hulud worm, which it tracks under the name Miasma.
The malware is built to harvest secrets, with ReversingLabs finding it targeted cloud provider keys, CI/CD tokens, npm credentials and other sensitive material on the developer’s machine.
True to its lineage, the malware also tries to spread. Using stolen publishing tokens, it attempts to republish backdoored versions of other packages the compromised account can reach.
A Trusted Feature Turned Against Itself
The most striking element is how the packages were published, researchers said. Aikido found the malicious releases were pushed using GitHub Actions OIDC tokens, indicating the attacker had compromised the build pipeline rather than a developer’s personal account.
That detail matters because OIDC-based “trusted publishing” was introduced to improve security, replacing long-lived npm tokens with short-lived ones issued during a build.
As this incident shows, it can be subverted when the pipeline itself is breached, leaving a trust signal that no longer means what defenders assume.
Read more on similar attacks: Mini Shai-Hulud Hits TanStack npm Packages
By the time the activity was analyzed, legitimate maintainers had pushed clean follow-up versions for all 32 packages, and the malicious releases had been removed from npm. Any project that pinned to the affected versions, or ran an install in the window before they were pulled, is exposed.
Researchers urged any organization that installed an affected version to treat the system as potentially compromised and rotate exposed credentials, since the payload runs at install time regardless of whether the package was used. Auditing CI/CD pipelines for unexpected publishing activity was also advised.
