Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: red-hat (2 articles)Clear

Red Hat @redhat-cloud-services npm namespace compromised with 'Miasma' Shai-Hulud variant - 30+ packages, 117K weekly downloads, steals dev and cloud secrets

More than 30 npm packages under Red Hat's @redhat-cloud-services namespace were backdoored in a supply-chain attack distributing a new Shai-Hulud variant dubbed 'Miasma.' Aikido and OX Security found dozens of package versions laced with malware that steals developer credentials, cloud secrets, SSH keys, and CI/CD tokens. Aikido says the compromised packages pull roughly 117,000 weekly downloads. Red Hat told BleepingComputer it removed the affected packages after becoming aware of the incident and that the compromise was limited to internal development tooling, with no impact on production products or services. The Miasma variant continues the self-propagating worm behavior that made the original Shai-Hulud campaign so disruptive.

Check
Inventory projects pulling @redhat-cloud-services npm packages. Check package-lock.json for backdoored versions since the compromise. Rotate developer, cloud, SSH, and CI/CD credentials reachable from build hosts.
Affected
30+ @redhat-cloud-services npm packages (~117K weekly downloads) backdoored with the Miasma Shai-Hulud variant. Red Hat says impact is limited to internal development tooling, not production products.
Fix
Remove affected package versions and pin to known-clean releases via lockfile. Rotate all secrets reachable from affected developer and CI hosts. Apply Aikido and OX Security IoCs.

Pwn2Own Berlin Day 1: $523,000 paid for 24 zero-days - Microsoft Edge sandbox escape, three Windows 11 privilege escalations, Red Hat root, and LiteLLM, OpenAI Codex, and NVIDIA software all fall

Day one of the Pwn2Own Berlin 2026 hacking contest at OffensiveCon paid out 523,000 dollars across 24 unique zero-days, with Trend Micro's Zero Day Initiative reporting wins against fully patched Microsoft Edge, Windows 11, Red Hat Enterprise Linux for Workstations, NVIDIA Container Toolkit and Megatron Bridge, OpenAI Codex, and LiteLLM. Orange Tsai's four-bug logic chain that escaped the Edge sandbox took the biggest single prize at 175,000 dollars. An Anthropic Claude Code entry was ruled a collision (the bug was already known to the vendor). Each affected vendor now has 90 days to ship a fix before ZDI publishes technical details.

Check
Inventory exposure to the targeted products (Edge, Windows 11, RHEL Workstations, NVIDIA Container Toolkit, LiteLLM, OpenAI Codex, Mozilla Firefox) and prepare an accelerated patch window for the next 90 days.
Affected
Fully patched Microsoft Edge, Windows 11, Red Hat Enterprise Linux for Workstations, NVIDIA Container Toolkit, NVIDIA Megatron Bridge, OpenAI Codex, LiteLLM. CVEs are not yet assigned; vendors have 90 days from May 14 to ship fixes.
Fix
Subscribe to ZDI advisory notifications and upstream vendor security feeds. As patches land over the next 90 days, prioritize Edge and Windows 11 LPE fixes - sandbox escapes plus local privilege escalations chain directly into endpoint takeover.