Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Watchlists Beta Browse News Feed Stats About Contact

Red Hat employee's GitHub account hit by network compromise

Incident
First reported
Last updated
Happening score
H score 13
1 unique sources, 1 articles

Summary

Hide ▲

The Red Hat employee's GitHub account was compromised and used as patient zero for a package-injection incident, bypassing code review and seeding malicious commits into two RedHatInsights repositories. The foothold enabled malicious payload delivery into @redhat-cloud-services packages and raised the risk of downstream credential theft. The compromise also increased the chance that trusted software updates could be abused to spread further malicious changes.

Related Happenings

Vpmdhaj npm preinstall credential-harvest campaign

Campaign
First: 29.05.2026 12:11 Last: 29.05.2026 12:11 Sources 1

About this happening: A new **vpmdhaj** supply-chain campaign has surfaced in **14 malicious npm packages** that use a **preinstall credential harvester** to steal **AWS credentials**, **HashiCorp Vaul...

Open Happening

JINX-0164 cryptocurrency recruitment-lure campaign

Campaign
First: 28.05.2026 10:54 Last: 28.05.2026 10:54 Sources 1

About this happening: A **JINX-0164** campaign is targeting **cryptocurrency firms** and developers with **LinkedIn recruiter lures**, a fake meeting-and-fix workflow, and **macOS malware** to steal cr...

Open Happening

AUDIOFIX and MiniRAT macOS malware activity

Malware Activity
First: 28.05.2026 10:54 Last: 28.05.2026 10:54 Sources 1

About this happening: The **AUDIOFIX** and **MiniRAT** malware activity is targeting **cryptocurrency firms** and **developer infrastructure** on **macOS** with **LinkedIn recruiter** lures, a fake mee...

Open Happening

Shai-Hulud worm clone activity on NPM

Malware Activity
First: 18.05.2026 12:45 Last: 18.05.2026 12:45 Sources 1

About this happening: The **Shai-Hulud** malware activity has continued to evolve across the **npm supply chain** and related developer ecosystems. It first infected **npm packages** in **September 202...

Open Happening

TanStack hit by network compromise

Incident
First: 12.05.2026 17:45 Last: 12.05.2026 17:45 Sources 1

About this happening: **TanStack** was hit by a **package compromise** on **May 11, 2026**, when attackers published **84 malicious versions** across **42 @tanstack/* packages** and abused the release...

Latest development: 21.05.2026 11:00

On May 17, 2026, Grafana Labs said an unauthorized attacker had downloaded its codebase after accessing the firm's GitHub environment, and the company later said additional internal operational information and business contact names and email addresses were taken from its GitHub repositories; Grafana Labs said there was no indication that customer production systems or the Grafana Cloud platform were compromised.

Open Happening

Timeline

  1. 01.06.2026 20:40 1 articles · 4h ago

    Miasma string first appears in a GitHub commit

    Technical Analysis Update

    OX Security noted that the first commit containing the string "Miasma: The Spreading Blight" appeared on May 29, 2026, suggesting the variant was active by then or was being tested. The related activity was tied to a compromised Red Hat employee's GitHub account that was used as patient zero to inject malicious payloads into two RedHatInsights repositories.

    Show sources
    Open in new tab
  2. 01.06.2026 20:40 2 articles · 4h ago

    Miasma compromises @redhat-cloud-services npm packages

    Initial Disclosure

    Researchers described a Mini Shai-Hulud supply chain campaign codenamed Miasma that compromised @redhat-cloud-services packages to steal credentials and secrets from developer machines and deliver a self-propagating worm. Evidence suggests a compromised Red Hat employee's GitHub account served as patient zero for malicious orphan commits into two RedHatInsights repositories, and attribution remained unknown.

    Show sources
    Open in new tab