Malicious preinstall scripts in @redhat-cloud-services packages harvest credentials and spread via compromised maintainer accounts; treat as active incident if installed.
June 2, 2026
Summary
These are build-time dependencies for enterprise infrastructure, installed on developer workstations and CI runners where long-lived cloud credentials and registry tokens live. The worm replicates across any packages you can publish, turning a single install into organizational blast radius.
Why it matters
These are build-time dependencies for enterprise infrastructure, installed on developer workstations and CI runners where long-lived cloud credentials and registry tokens live. The worm replicates across any packages you can publish, turning a single install into organizational blast radius.
Implementation verdict
Immediate: audit lockfiles for @redhat-cloud-services versions <=7.7.2 (check Snyk advisories per package), pin away, reinstall with npm install --ignore-scripts, rotate every credential reachable from affected machines. This is not optional—assume any secrets touched those environments are exposed. Run Snyk to flag all affected projects; hunt for orphan repos with description 'Miasma: The Spreading Blight' and unexpected workflows requesting id-token: write.
Sources
Dev Signal
Get briefs like this in your inbox — free, every weekday.
100+ sources compressed into one 4-minute read. Ranked, cited, implementation-ready.