Skip to content
  • Home
  • Cyber Map
  • About Us – Contact
  • Disclaimer
  • Terms and Rules
  • Privacy Policy
Cyber Web Spider Blog – News

Cyber Web Spider Blog – News

Globe Threat Map provides a real-time, interactive 3D visualization of global cyber threats. Monitor DDoS attacks, malware, and hacking attempts with geo-located arcs on a rotating globe. Stay informed with live logs and archive stats.

  • Home
  • Cyber Map
  • Cyber Security News
  • Security Week News
  • The Hacker News
  • How To?
  • Toggle search form
Red Hat npm Packages Breached by Credential-Stealing Malware

Red Hat npm Packages Breached by Credential-Stealing Malware

Posted on June 1, 2026 By CWS

In a significant cybersecurity incident on June 1, 2026, over 30 npm packages under the @redhat-cloud-services namespace were compromised. This attack, identified as “Miasma: The Spreading Blight,” is a newly developed variant of the Mini Shai-Hulud malware, historically linked to the threat actor group TeamPCP.

The assault was not a case of typosquatting. Instead, attackers managed to seize control of a legitimate npm namespace, inserting backdoored versions of frequently used frontend components, API clients, and developer tools. This breach highlights vulnerabilities in trusted software distribution channels.

Methodology of the Attack

Detection by Aikido and JFrog revealed that the malicious packages were disseminated using compromised GitHub Actions OIDC tokens, indicating a breach in the CI/CD pipeline rather than individual developer accounts. This method allowed the attackers to embed a preinstall lifecycle hook within each package’s json scripts.

The hook executed a 4.2 MB obfuscated payload during the npm install process, using a multi-stage decryption strategy to avoid static detection. This payload was capable of evading security measures and deploying a transient Bun-based program, targeting cloud credentials and infrastructure secrets.

Impact on Cloud Environments

Once deployed, the malware aggressively harvested credentials, targeting GitHub tokens, cloud access keys, infrastructure secrets, and developer tools. It could even query cloud services like AWS Secrets Manager when permissions allowed, bypassing traditional security measures.

A sophisticated evasion tactic involved disguising data exfiltration traffic as legitimate Anthropic service requests. The malware also employed a GitHub dead-drop model, using victim accounts to create repositories where stolen credentials were committed as JSON files.

Response and Mitigation

Organizations impacted by this breach are advised to uninstall affected npm packages and regenerate lockfiles using verified metadata. Temporary measures include using npm ci –ignore-scripts in CI pipelines to prevent script execution.

To mitigate the threat, removing persistent files such as kitty-monitor and gh-token-monitor is crucial before revoking any credentials. Auditing npm and GitHub accounts for unauthorized activities and rotating exposed credentials are essential steps in securing affected systems.

This incident underscores the importance of robust security practices in software supply chains, emphasizing the need for continuous monitoring and proactive threat detection.

Cyber Security News Tags:CI/CD compromise, cloud credentials, credential-stealing malware, cyber attack, Cybersecurity, developer tools, GitHub, Malware, Miasma, npm breach, Red Hat, Security, supply chain attack, TeamPCP, threat detection

Post navigation

Previous Post: SmartApeSG Campaign Infects Windows with Remote Access Malware
Next Post: Hackers Exploit AI to Hijack Instagram Accounts

Related Posts

Wealthsimple Data Breach Exposes Personal Information of Some Users Wealthsimple Data Breach Exposes Personal Information of Some Users Cyber Security News
Phantom Stealer Attacking Users to Steal Sensitive Data like Passwords, Browser Cookies, Credit Card Data Phantom Stealer Attacking Users to Steal Sensitive Data like Passwords, Browser Cookies, Credit Card Data Cyber Security News
Top 10 Best Penetration Testing as a Service (PTaaS) Companies in 2025 Top 10 Best Penetration Testing as a Service (PTaaS) Companies in 2025 Cyber Security News
Hackers Hijacking IIS Servers in The Wild Using Exposed ASP .NET Machine Keys to Inject Malicious Modules Hackers Hijacking IIS Servers in The Wild Using Exposed ASP .NET Machine Keys to Inject Malicious Modules Cyber Security News
VMware Cloud Foundation 9.0 Released With Modern Workloads & AI Services VMware Cloud Foundation 9.0 Released With Modern Workloads & AI Services Cyber Security News
CanisterWorm Malware Targets npm, Compromises Developer Accounts CanisterWorm Malware Targets npm, Compromises Developer Accounts Cyber Security News

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Recent Posts

  • AI Tool Revolutionizes Automated Penetration Testing
  • Critical WordPress Flaw Allows Code Execution
  • OpenSSL Vulnerability ‘HollowByte’ Poses Severe Threat
  • OpenSSL Vulnerability Causes Memory Freeze with Minimal Data
  • EY Faces Data Breach: IT System Compromised

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Archives

  • July 2026
  • June 2026
  • May 2026
  • April 2026
  • March 2026
  • February 2026
  • January 2026
  • December 2025
  • November 2025
  • October 2025
  • September 2025
  • August 2025
  • July 2025
  • June 2025
  • May 2025

Recent Posts

  • AI Tool Revolutionizes Automated Penetration Testing
  • Critical WordPress Flaw Allows Code Execution
  • OpenSSL Vulnerability ‘HollowByte’ Poses Severe Threat
  • OpenSSL Vulnerability Causes Memory Freeze with Minimal Data
  • EY Faces Data Breach: IT System Compromised

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Copyright © 2026 Cyber Web Spider Blog – News.

Powered by PressBook Masonry Dark