Skip to main content
Explore our brands An Informa TechTarget Publication
close search
site logo

Dozens of Red Hat npm packages targeted in supply chain attack

Researchers said a variant of the Mini Shai-Hulud is involved in the compromise.

Published June 2, 2026
David Jones's headshot
Reporter
A red building with a hat icon and the words "Red Hat" in white on the side
A Red Hat office building. A June 2026 supply chain attack impacted more than 30 Red Hat npm packages. Courtesy of https://www.redhat.com/en/about/company-details

Researchers on Monday warned that more than 30 Red Hat npm packages have been compromised in a supply-chain attack that used a credential-stealing worm. 

A total of 96 versions across 32 packages have been identified as compromised, according to researchers at Aikido Security. The accumulated downloads exceed 116,000, according to researchers. 

The packages were published through the GitHub Actions OIDC, which indicates the compromise was linked to the continuous integration/continuous delivery pipeline, instead of an npm token, researchers noted. 

Anyone that has downloaded an affected package version since Monday should assume that CI secrets, cloud credentials, SSH keys and npm tokens are compromised, researchers said. They should all be rotated in a preventative measure to protect against future actions. 

Red Hat confirmed it is investigating the malicious activity.

“Red Hat is aware of security reports regarding certain npm packages within our development tooling ecosystem,” the company told Cybersecurity Dive in a statement. 

The packages were immediately removed from its npm registry. Red Hat said the packages are “strictly limited to internal development” and noted that the malicious code was never published for customer use through the console.redhat.com system. 

“While our investigation is ongoing, we have not identified any impact to customer or partner environments or Red Hat production systems," the company said. 

Red Hat confirmed the compromise was linked to a compromised GitHub account, which pushed the unauthorized commits repositories in the RedHatInsights GitHub organization.  

The payload appears to be linked to the Mini Shai Hulud malware that was open sourced by Team PCP, according to a blog post released Monday by cybersecurity firm Wiz. The variant creates repositories that reference Miasma: The Spreading Blight, according to Wiz. 

The Mini Shai Hulud campaign has impacted multiple ecosystems in recent months, including four SAP npm packages in April and Microsoft’s Durable Task package on PyPI.

U.S. authorities and private sector organzations recently have taken steps to better protect the open-source ecosystem from supply chain compromises. 

Filed Under: Breaches, Cyberattacks

Editors' picks

Company Announcements

View all | Post a press release
DeVry University Earns Top 12 National Ranking in Spring 2026 National Cyber League Competition
From DeVry University
May 28, 2026
DeVry University logo
360 Privacy Expands Senior Leadership as Threats to Executives and High-Profile Individuals Gr…
From 360 Privacy
May 21, 2026
360 Privacy logo

Want to share a company announcement with your peers?

Get started

Editors' picks
Latest in Breaches
This website is owned and operated by Informa TechTarget, a global network that informs, influences and connects the world's technology buyers and sellers.

© 2025 TechTarget, Inc. or its subsidiaries. All rights reserved. An Informa PLC company.
Privacy policy | Terms of use | Take down policy | Cookie Preferences / Do Not Sell