← All articles

Red Hat @redhat-cloud-services npm namespace compromised with 'Miasma' Shai-Hulud variant - 30+ packages, 117K weekly downloads, steals dev and cloud secrets

More than 30 npm packages under Red Hat's @redhat-cloud-services namespace were backdoored in a supply-chain attack distributing a new Shai-Hulud variant dubbed 'Miasma.' Aikido and OX Security found dozens of package versions laced with malware that steals developer credentials, cloud secrets, SSH keys, and CI/CD tokens. Aikido says the compromised packages pull roughly 117,000 weekly downloads. Red Hat told BleepingComputer it removed the affected packages after becoming aware of the incident and that the compromise was limited to internal development tooling, with no impact on production products or services. The Miasma variant continues the self-propagating worm behavior that made the original Shai-Hulud campaign so disruptive.

Check
Inventory projects pulling @redhat-cloud-services npm packages. Check package-lock.json for backdoored versions since the compromise. Rotate developer, cloud, SSH, and CI/CD credentials reachable from build hosts.
Affected
30+ @redhat-cloud-services npm packages (~117K weekly downloads) backdoored with the Miasma Shai-Hulud variant. Red Hat says impact is limited to internal development tooling, not production products.
Fix
Remove affected package versions and pin to known-clean releases via lockfile. Rotate all secrets reachable from affected developer and CI hosts. Apply Aikido and OX Security IoCs.