Dev Signal← Briefs
supply-chain-securitynpm-registrycredential-theftworm-propagationincident-response

Red Hat npm packages carry self-propagating credential worm

Malicious preinstall scripts in @redhat-cloud-services packages harvest credentials and spread via compromised maintainer accounts; treat as active incident if installed.

June 2, 2026

Summary

These are build-time dependencies for enterprise infrastructure, installed on developer workstations and CI runners where long-lived cloud credentials and registry tokens live. The worm replicates across any packages you can publish, turning a single install into organizational blast radius.

Why it matters

These are build-time dependencies for enterprise infrastructure, installed on developer workstations and CI runners where long-lived cloud credentials and registry tokens live. The worm replicates across any packages you can publish, turning a single install into organizational blast radius.

Implementation verdict

Immediate: audit lockfiles for @redhat-cloud-services versions <=7.7.2 (check Snyk advisories per package), pin away, reinstall with npm install --ignore-scripts, rotate every credential reachable from affected machines. This is not optional—assume any secrets touched those environments are exposed. Run Snyk to flag all affected projects; hunt for orphan repos with description 'Miasma: The Spreading Blight' and unexpected workflows requesting id-token: write.

Sources

  1. 1.malicious code embedded in at least 32 package releases published under the @redhat-cloud-services npm namespace
  2. 2.The affected packages average roughly 80,000 downloads per week combined
  3. 3.a preinstall script that runs an obfuscated payload the moment a package is installed, harvesting developer and cloud credentials and attempting to spread itself to other packages the victim can publish
  4. 4.Evidence indicates a Red Hat employee's GitHub account was compromised and used to push malicious orphan commits directly into two RedHatInsights repositories, bypassing code review
  5. 5.the payload: Harvests secrets and credentials from the local environment and CI context: environment variables, ~/.npmrc tokens, SSH keys, GitHub tokens, and CI/CD secrets
  6. 6.Snyk rates the lead advisory at 9.3 (Critical, CVSS v4.0) with an exploit maturity of Attacked
  7. 7.Most malicious versions had been revoked from npm within hours of disclosure

Dev Signal

Get briefs like this in your inbox — free, 3x a week.

100+ sources compressed into one 4-minute read. Ranked, cited, implementation-ready.

Read the full issue →All briefs