Skip to main content
Emerging ThreatsMalware & Ransomware

Malware Worms Red Hat npm Packages, Targets Cloud Credentials

Server room with rows of computer servers and cables, laptops in foreground with some monitors displaying code or data.

"The compromised account pushed malicious orphan commits to two RedHatInsights repositories, bypassing code review," Wiz researchers wrote, describing how dozens of Red Hat npm package releases were seeded with a self‑propagating credential‑stealer.

Wiz: scope, origin and status

Security researchers at Wiz traced at least 32 npm package releases published under the Red Hat Cloud Services namespace to a single Red Hat employee’s compromised GitHub account. Wiz described the incident as a "live threat" and said its team is actively monitoring for new developments. The affected packages are downloaded around 80,000 times a week, the company reported.

Socket: preinstall hook, what the payload collects, and affected versions

Supply‑chain security firm Socket found the compromised package releases execute a hidden payload through an npm preinstall hook so the malware runs automatically during npm install—before a developer imports or uses the package. Socket counted 95 affected package versions as of 11:00:22 UTC.

According to Socket’s analysis, the payload is designed to collect a broad array of credentials and sensitive files. The company listed the intended targets as:

  • GitHub Actions secrets
  • npm tokens
  • cloud credentials
  • Kubernetes and Vault material
  • SSH keys and Git credentials
  • other sensitive files

Socket also reported the malware includes encrypted exfiltration logic and GitHub‑based fallback mechanisms, indicating an effort not only to steal credentials but also to enable further supply‑chain propagation. Socket continues to monitor the attack and update its artifacts list; it urged organizations that installed any of the poisoned versions to "assume compromise and immediately rotate credentials."

Red Hat response and claimed impact

A Red Hat spokesperson told The Register the company "immediately initiated an investigation and removed the packages from the npm registry." The spokesperson said the packages were "strictly limited to internal development" and that "the malicious code was never published for customer consumption via the console.redhat.com system." While the investigation is ongoing, Red Hat said it has "not identified any impact to customer or partner environments or Red Hat production systems."

Mini Shai‑Hulud, TeamPCP and the new variant's tradecraft

Both Wiz and Socket said the malware resembles the Mini Shai‑Hulud worm that TeamPCP cybercriminals recently open‑sourced, but noted attribution is uncertain because the tool was publicly released. Wiz observed cosmetic modifications—references to the Dune universe were replaced with Greek mythology themes such as "spartan"—while "the underlying functionality and tradecraft remain substantially similar."

Wiz highlighted substantive capability changes in this variant: it adds data collectors for Google Cloud Platform and Microsoft Azure identities and is designed to harvest all identities accessible from an infected machine, not just secrets present in cloud environments. Wiz warned this points to "an increased attacker focus on gaining and leveraging access to the cloud itself." The variant also creates repositories containing the description "Miasma: The Spreading Blight," and—unlike earlier self‑spreading worm variants that copied an identical payload—this one "generates a uniquely encrypted payload for each infection," making hash‑based indicators‑of‑compromise useful only for a specific package version.

What this means for technologists, enterprises, and open‑source maintainers

Technologists and security teams should treat any use of the listed package versions as a potential compromise and rotate secrets: Socket explicitly advised organizations that have installed one of the poisoned versions to "assume compromise and immediately rotate credentials." Because the malware runs during npm install via a preinstall hook, development workstations and CI runners are at direct risk before any package code is imported.

Enterprises and procurement leaders will need to confirm whether internal development pipelines pulled the affected releases; Red Hat says the packages were limited to internal development, but both Wiz and Socket continue to monitor the incident and publish artifacts. The presence of GCP and Azure collectors raises specific cloud‑access concerns for organizations whose build environments carry federated or long‑lived cloud identities.

Open‑source maintainers and repository operators should note the reported attack vector: a compromised maintainer GitHub account that pushed orphan commits to repositories, bypassing code review. The incident underscores the difficulty of detecting uniquely encrypted, per‑infection payloads and the limits of hash‑based detection.

The attack remains active in researchers' view, and the combination of automatic execution during install, broad credential collection, encrypted exfiltration, and per‑infection payloads tightens the window for response. For teams that find any of the listed package versions in their pipelines, the immediate, published steps are clear: remove the packages, rotate credentials, and consult the ongoing artifacts lists published by Socket and Wiz as they update detections.

Source: The Register