Red Hat npm Namespace Hijacked in Supply Chain hit by cyberattack
Incident
Summary
Hide ▲
Show ▼
Red Hat's official npm namespace was hijacked in a supply chain attack that republished 32 packages in the @redhat-cloud-services scope on June 1, 2026. The malicious uploads landed in 72 seconds and used an install-time preinstall script to steal cloud, CI/CD, and npm credentials, with roughly 9.8 million downloads affected. Researchers tracked the payload as a Mini Shai-Hulud variant called Miasma. Evidence also linked the activity to a compromised Red Hat employee GitHub account and to GitHub Actions OIDC tokens, while the first related Miasma commit appeared on May 29, 2026.
Related Happenings
AsyncAPI malicious npm package supply-chain malware
Malware Activity
H score21
First: 15.07.2026 18:37
Last: 15.07.2026 18:37
Sources 1
About this happening:
Malicious AsyncAPI npm releases pushed a remote access trojan and info-stealing payload into packages with more than 2.25 million weekly downloads, putting downstr...
AsyncAPI malicious npm package supply-chain malware
Malware ActivityAbout this happening: Malicious AsyncAPI npm releases pushed a remote access trojan and info-stealing payload into packages with more than 2.25 million weekly downloads, putting downstr...
AsyncAPI repositories and npm publishing workflow hit by network compromise
Incident
H score27
First: 15.07.2026 12:16
Last: 15.07.2026 12:16
Sources 1
About this happening:
The AsyncAPI npm publishing pipeline was compromised in a July 14 supply-chain attack that used the project’s normal GitHub Actions release path to publish trojani...
AsyncAPI repositories and npm publishing workflow hit by network compromise
IncidentAbout this happening: The AsyncAPI npm publishing pipeline was compromised in a July 14 supply-chain attack that used the project’s normal GitHub Actions release path to publish trojani...
GitHub fake-repository infostealer campaign
Campaign
H score41
First: 14.07.2026 22:15
Last: 14.07.2026 22:15
Sources 1
About this happening:
A GitHub impersonation campaign is distributing infostealer malware through 292 fake repositories, expanding the risk to users searching for trusted software downloads...
GitHub fake-repository infostealer campaign
CampaignAbout this happening: A GitHub impersonation campaign is distributing infostealer malware through 292 fake repositories, expanding the risk to users searching for trusted software downloads...
Jscrambler hit by network compromise
Incident
H score15
First: 13.07.2026 22:44
Last: 13.07.2026 22:44
Sources 1
About this happening:
The Jscrambler npm package suffered an unauthorized publication of a malicious version that exposed developers to infostealer theft risk. The bad release stayed li...
Jscrambler hit by network compromise
IncidentAbout this happening: The Jscrambler npm package suffered an unauthorized publication of a malicious version that exposed developers to infostealer theft risk. The bad release stayed li...
OpenMandriva Linux project hit by cyberattack
Incident
H score32
First: 10.07.2026 01:14
Last: 10.07.2026 01:14
Sources 1
About this happening:
The OpenMandriva Linux project is recovering from an attempted internal sabotage that deleted repositories and published an empty package that could have damaged user...
OpenMandriva Linux project hit by cyberattack
IncidentAbout this happening: The OpenMandriva Linux project is recovering from an attempted internal sabotage that deleted repositories and published an empty package that could have damaged user...
Timeline
-
01.06.2026 20:40 1 articles · 1mo ago
Miasma string first appears in a GitHub commit
Technical Analysis UpdateOX Security noted that the first commit containing the string "Miasma: The Spreading Blight" appeared on May 29, 2026, suggesting the variant was active by then or was being tested. The related activity was tied to a compromised Red Hat employee's GitHub account that was used as patient zero to inject malicious payloads into two RedHatInsights repositories.
Show sources
- Miasma Supply Chain Attack Compromises Red Hat npm Packages with Credential-Stealing Worm — thehackernews.com — 01.06.2026 20:40
-
01.06.2026 20:40 3 articles · 1mo ago
Miasma compromises @redhat-cloud-services npm packages
Initial DisclosureResearchers described a Mini Shai-Hulud supply chain campaign codenamed Miasma that compromised @redhat-cloud-services packages to steal credentials and secrets from developer machines and deliver a self-propagating worm. Evidence suggests a compromised Red Hat employee's GitHub account served as patient zero for malicious orphan commits into two RedHatInsights repositories, and attribution remained unknown.
Show sources
- Miasma Supply Chain Attack Compromises Red Hat npm Packages with Credential-Stealing Worm — thehackernews.com — 01.06.2026 20:40
- Miasma Supply Chain Attack Compromises Red Hat npm Packages with Credential-Stealing Worm — thehackernews.com — 01.06.2026 20:40
- Attackers Hijack Red Hat npm Scope to Steal Cloud Secrets — www.infosecurity-magazine.com — 02.06.2026 13:00