SAN FRANCISCO — Official Red Hat NPM accounts were compromised on Monday, leading to a supply-chain attack that pushed a malicious worm named Miasma to more than 30 packages in the @redhat-cloud-services namespace. The worm executed an obfuscated payload during the npm install process, before the packages were imported or used in production.

The threat actor gained control of the legitimate @redhat-cloud-services channel on the npm repository and used it to distribute backdoored versions of Red Hat packages. According to security firm Aikido, 32 packages and 96 package versions were affected, with the compromised packages receiving approximately 117,000 weekly downloads.

The malware, dubbed Miasma, is designed to steal sensitive credentials—including GitHub Actions secrets, npm tokens, Kubernetes and Vault tokens, and credentials for major cloud services. Once executed, it encrypts the stolen data and sends it via a web request, with a fallback mechanism to publish the data to a compromised GitHub repository if valid credentials are available.

Aikido reported that the attackers compromised a Red Hat employee’s GitHub account and pushed malicious commits to multiple repositories. These commits added a GitHub Actions workflow and a script that abused npm’s trusted publishing mechanism to release the backdoored packages. The script used GitHub’s id-token: write permission to obtain a short-lived OIDC token, which it then used to authenticate with npm’s publishing endpoint.

Security firm Socket warned that exposure occurs upon installation or CI execution, not during runtime use. “The payload executes during npm install, before application code imports or uses the package, so exposure depends on installation or CI execution, not runtime use.” Socket researchers wrote. They added, “Organizations should treat any system that installed one of the affected @redhat-cloud-services package versions as potentially compromised.”

Red Hat said it removed the affected packages after becoming aware of the incident and stated the compromise was limited to internal development tooling. “Red Hat is aware of security reports regarding certain npm packages within our development tooling ecosystem. We immediately initiated an investigation and removed the packages from the npm registry.” A Red Hat spokesperson told BleepingComputer. The spokesperson added, “The packages are strictly limited to internal development, and the malicious code was never published for customer consumption via the console.redhat.com system.”

Red Hat also said it had not identified any impact to customer or partner environments or its production systems. Organizations that installed affected versions are advised to immediately rotate all credentials, secrets, and tokens used on potentially infected devices.