Red Hat npm packages compromised to steal developer credentials

What happened

Recent reporting highlighted red hat npm packages compromised to steal developer credentials. More than 30 npm packages under Red Hat’s ‘@redhat-cloud-services’ namespace were compromised in a supply-chain attack that distributed a new variant of the Shai-Hulud credential-stealing malware, dubbed “Miasma.”. The incident was discovered by security firms Aikido and OX Security, which found dozens of package versions backdoored with malware designed to steal developer credentials, cloud secrets, SSH keys, CI/CD tokens, and other sensitive information.

Why it matters

This matters because it has practical implications for defensive prioritisation, exposure management, or incident response rather than sitting as abstract security commentary. It also helps frame how defenders should think about attacker adaptation and recurring tradecraft rather than single incidents in isolation.

Assessment

The strongest signal here is the tradecraft pattern and what it says about attacker adaptation, not just the single campaign or disclosure. In practice, that means cloud-adjacent control planes, shared services, and inherited trust assumptions deserve more scrutiny than many organisations currently give them.

Recommended actions

• Review whether the issue, advisory, or attack pattern is relevant to your environment, suppliers, or exposed systems
• Patch, harden, or validate logging and monitoring coverage where applicable
• Check whether cloud services, connectors, or shared administrative paths create avoidable trust-boundary risk
• Map the observed activity to existing detections and threat-hunting hypotheses instead of tracking it only as narrative reporting

Further reading

• Primary source
• Source profile: Reporting