惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

V
Visual Studio Blog
爱范儿
爱范儿
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
雷峰网
雷峰网
V
V2EX
博客园_首页
Engineering at Meta
Engineering at Meta
博客园 - 聂微东
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
Apple Machine Learning Research
Apple Machine Learning Research
GbyAI
GbyAI
H
Help Net Security
A
About on SuperTechFans
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
Blog — PlanetScale
Blog — PlanetScale
W
WeLiveSecurity
云风的 BLOG
云风的 BLOG
D
Docker
Security Archives - TechRepublic
Security Archives - TechRepublic
Help Net Security
Help Net Security
N
News and Events Feed by Topic
Simon Willison's Weblog
Simon Willison's Weblog
G
Google Developers Blog
A
Arctic Wolf
T
The Blog of Author Tim Ferriss
博客园 - 叶小钗
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
Google DeepMind News
Google DeepMind News
博客园 - 三生石上(FineUI控件)
aimingoo的专栏
aimingoo的专栏
Hacker News: Ask HN
Hacker News: Ask HN
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
博客园 - 司徒正美
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
P
Privacy International News Feed
T
Troy Hunt's Blog
T
Tenable Blog
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
Recent Commits to openclaw:main
Recent Commits to openclaw:main
Recorded Future
Recorded Future
F
Fortinet All Blogs
D
DataBreaches.Net
B
Blog
T
Threat Research - Cisco Blogs
MyScale Blog
MyScale Blog
Hacker News - Newest:
Hacker News - Newest: "LLM"
The GitHub Blog
The GitHub Blog
Security Latest
Security Latest
M
MIT News - Artificial intelligence

Truesec

Russian Intelligence Targets SOHO Routers - Truesec Cyber Warfare in the Iran War - Truesec Organized Cybercrime Merging with Other Crime - Truesec AI Used in Ransomware Attack The Fortibleed Campaign: Truesec's Experience Fortibleed: Truesec's Experience Supply Chain Attack Compromising Arch Linux AUR Packages with Infostealer and Rootkit - Truesec FortiNet SSO Vulnerability CVE-2025-59718 and CVE-2025-59719 Leading to Full System Compromise - Truesec Critical Vulnerabilities in Ivanti Sentry Allows Code Execution as Root (CVE-2026-10520 & CVE-2026-10523) Typosquatting: When Your Domain Is Used Against You AI in Cybersecurity: Separating Operational Reality from Speculation GitHub Hacks Highlights Need for Repository Security Installation of a Syslog Log Collector Critical Cisco Secure Workload Vulnerability Allows Unauthenticated Site Admin Access (CVE-2026-20223) Securing IT, OT, and IoT When the Digital Meets the Physical Russia Rolls Out Surveillance Through State-Backed “Super App” MAX Device Code Phishing via Fake File-Sharing Invitation Active Exploitation of PAN‑OS Authentication Portal RCE - Truesec Windows Client Security Baselines: When Assumptions Meet Incident Response Reality - Truesec Entra ID Password Protection: From “P@ssw0rd” to Protected GitHub Under Attack: How Small Exposures Snowball into Large‑Scale Compromises European Risks Linked to the U.S. – Iran Conflict Mythos: What It Actually Means and What It Does Not Russian Espionage Campaign Targets Home Routers How Nordic Organizations Must Adjust Their Cybersecurity to a Changing Operating Environment Critical Vulnerability in “Ninja Forms – File Upload” WordPress Plugin (CVE-2026-07409) Iranian APT Target US Critical Infrastructure Remote Access – Is VPN the Almighty Solution? Malicious Axios Packages Published to npm in New Supply Chain Compromise RCE Vulnerability in F5 BIG-IP APM (CVE-2025-53521) No Further Increase in Iranian Cyber Operations Malicious PyPI Package – LiteLLM Supply Chain Compromise Dutch Intelligence Warns of Russian Campaign Against Signal and Whatsapp Users Multiple Vulnerabilities, One Critical, in Ubiquiti UniFi Network Application
Compromised @redhat-Cloud-Services Npm Packages Distribute Credential-Stealing Worm
Hjalmar Desmond · 2026-06-02 · via Truesec

Several packages within the @redhat-cloud-services npm scope were found to contain malicious payloads and according to StepSecurity, they execute through a preinstall hook during npm installation, before any application code runs[1].

The payload is described as a multi-stage credential harvester targeting sensitive material including GitHub Actions secrets, AWS, GCP, Azure, Kubernetes, HashiCorp Vault, npm, and CircleCI credentials. What has also been noted is that the malicious code is heavily obfuscated and significantly larger than expected, approximately 4.2 MB, suggesting attempts to hinder analysis and detection.

Aikido attributes the activity to a credential-stealing worm named “Miasma,” described as a variant of the Mini Shai-Hulud malware framework. According to Aikido, 96 malicious versions across 32 packages were published, with a combined weekly download count of approximately 116,991 at the time of discovery[2].

The malware exhibits self-propagating behavior by leveraging stolen npm tokens and the bypass_2fa parameter to republish backdoored versions of other packages, enabling infected environments to spread the attack further without additional attacker interaction[1].

The affected packages seems to have been published via GitHub Actions OIDC from the RedHatInsights/javascript-clients repository, indicating compromise of the upstream CI/CD publishing workflow. Aikido further explains that the publishing mechanism leveraged GitHub Actions OIDC to authenticate and publish malicious package versions, rather than relying solely on stolen npm tokens.

The malware campaign seems to be linked to the broader Mini Shai-Hulud supply chain attacks observed in 2026, where similar techniques were used to compromise other npm and software ecosystems[2].

Affected Products

@redhat-cloud-services/chrome (2.3.1, 2.3.2)
@redhat-cloud-services/compliance-client (4.0.3, 4.0.4)
@redhat-cloud-services/config-manager-client (5.0.4, 5.0.5)
@redhat-cloud-services/entitlements-client (4.0.11, 4.0.12)
@redhat-cloud-services/eslint-config-redhat-cloud-services (3.2.1, 3.2.2)
@redhat-cloud-services/frontend-components (7.7.2, 7.7.3)
@redhat-cloud-services/frontend-components-advisor-components (3.8.2)
@redhat-cloud-services/frontend-components-config (6.11.3, 6.11.4)
@redhat-cloud-services/frontend-components-config-utilities (4.11.2, 4.11.3)
@redhat-cloud-services/frontend-components-notifications (6.9.2, 6.9.3)
@redhat-cloud-services/frontend-components-remediations (4.9.2, 4.9.3)
@redhat-cloud-services/frontend-components-testing (1.2.1, 1.2.2)
@redhat-cloud-services/frontend-components-translations (4.4.1, 4.4.2)
@redhat-cloud-services/frontend-components-utilities (7.4.1, 7.4.2)
@redhat-cloud-services/hcc-feo-mcp (0.3.1, 0.3.2)
@redhat-cloud-services/hcc-kessel-mcp (0.3.1, 0.3.2)
@redhat-cloud-services/hcc-pf-mcp (0.6.1, 0.6.2)
@redhat-cloud-services/host-inventory-client (5.0.3, 5.0.4)
@redhat-cloud-services/insights-client (4.0.4, 4.0.5)
@redhat-cloud-services/integrations-client (6.0.4, 6.0.5)
@redhat-cloud-services/javascript-clients-shared (2.0.8, 2.0.9)
@redhat-cloud-services/notifications-client (6.1.4, 6.1.5)
@redhat-cloud-services/patch-client (4.0.4, 4.0.5)
@redhat-cloud-services/quickstarts-client (4.0.11, 4.0.12)
@redhat-cloud-services/rbac-client (9.0.3, 9.0.4)
@redhat-cloud-services/remediations-client (4.0.4, 4.0.5)
@redhat-cloud-services/rule-components (4.7.2, 4.7.3)
@redhat-cloud-services/sources-client (3.0.10, 3.0.11)
@redhat-cloud-services/topological-inventory-client (3.0.10, 3.0.11)
@redhat-cloud-services/tsc-transform-imports (1.2.2)
@redhat-cloud-services/types (3.6.1, 3.6.2, 3.6.4)
@redhat-cloud-services/vulnerabilities-client (2.1.8, 2.1.9)

Recommended Actions

Truesec recommends that organizations takes the following actions if any of the compromised packages have been installed:

  • Rotate all potentially exposed credentials, including:
    — CI/CD secrets
    — Cloud credentials
    — SSH keys
    — npm tokens
  • Identify and remove compromised package versions from dependencies
  • Audit developer systems and CI/CD pipelines for signs of compromise
  • Monitor for unauthorized changes to repositories or package publishing activity
  • It is recommended that you disable “postinstall” to reduce the risks of being exploited by a malware similar to this one.
  • Lastly, Truesec recommends implementing NPM Package Cooldown Check. This is an automated verification step that runs on each pull request. Its job is to detect any npm dependency introduced or updated in the PR that was published within the last 2 days (48 hours) and fail the PR if such a dependency is found[3].

If you require assistance in implementing these principles and best practices or tailoring them to your specific environment, please do not hesitate to contact Truesec for expert support.

For further reading on the subject, see “Npm Supply-Chain Attacks: How to Reduce Risk”.

References

[1] https://www.stepsecurity.io/blog/multiple-redhat-cloud-services-npm-packages-compromised
[2] https://www.aikido.dev/blog/red-hat-npm-packages-compromised-credential-stealing-worm
[3] https://www.stepsecurity.io/blog/introducing-the-npm-package-cooldown-check

Stay ahead with cyber insights

Newsletter

Stay ahead in cybersecurity! Sign up for Truesec’s newsletter to receive the latest insights, expert tips, and industry news directly to your inbox. Join our community of professionals and stay informed about emerging threats, best practices, and exclusive updates from Truesec.

Latest Insights