More than 30 npm packages under Red Hat's '@redhat-cloud-services' namespace were compromised in a supply-chain attack distributing credential-stealing malware. The attack deployed a new variant of the Shai-Hulud malware, dubbed "Miasma," targeting developer credentials.
Security researchers discovered the compromise affecting Red Hat's npm package ecosystem, exposing developers who depend on the '@redhat-cloud-services' namespace to malicious code injection.
The attack leveraged a supply-chain vulnerability, a common vector for distributing malware at scale. By compromising legitimate, trusted packages, attackers gained direct access to developer environments and systems where these packages are installed and executed.
The malware variant, named Miasma, was specifically designed to harvest developer credentials. Once installed, it can extract authentication tokens, API keys, and other sensitive information from compromised systems. This type of attack poses significant risk, as stolen credentials can grant attackers access to private repositories, cloud infrastructure, and other critical resources.
The '@redhat-cloud-services' namespace is widely used within Red Hat's ecosystem and beyond, meaning the potential impact extends across numerous organizations and projects. Developers who installed affected packages during the compromise window face immediate risk of credential exposure.
Response measures:
Red Hat and npm have been notified and are investigating the scope of the compromise. Affected packages have been flagged, and developers are advised to:
- Review package installation logs for the '@redhat-cloud-services' namespace
- Rotate credentials and authentication tokens immediately
- Monitor accounts for unauthorized access
- Update to patched versions once available
- Check dependent projects for exposure
This incident underscores the ongoing vulnerability of the open-source software supply chain. With millions of developers relying on npm packages daily, compromises at this scale can affect numerous downstream projects and organizations. The use of sophisticated malware variants like Miasma demonstrates attackers' growing focus on credential theft from developer environments as a path to broader system compromise.
Developers should maintain vigilance regarding package dependencies and consider implementing additional security controls such as package integrity verification and runtime monitoring.
A critical privilege escalation vulnerability in the popular Kirki WordPress plugin is being actively exploited to compromise administrator accounts. The flaw (CVE-2026-8206) allows attackers to take over any user account on affected sites.
Threat actors are deploying an AI-powered ransomware toolkit that automates Active Directory discovery and circumvents endpoint detection and response solutions. The advancement marks a significant escalation in ransomware attack sophistication.
Palo Alto Networks raised its adjusted earnings forecast, citing strong demand for security services as AI-related threats escalate concerns among enterprises and governments.