Dozens of JavaScript packages in the company's @redhat-cloud-services namespace were backdoored with credential-stealing malware targeting secrets in Red Hat developers' and continuous integration and continuous deployment (CI/CD) systems. The security research company Aikido reported that the namespace was "compromised with a credential-stealing worm. In total, 96 versions across 32 packages have been compromised, cumulatively downloaded 116,991 times per week."

According to Red Hat security, someone used a compromised GitHub account to inject malicious code into packages maintained in a Red Hat GitHub organization. The affected packages are front-end libraries compiled and bundled into container images during the Red Hat product build process.

It appears the malware was added via npm preinstall hooks: Whenever a developer or build system ran "npm install" for an affected package, the malicious code was automatically executed. According to Microsoft's threat intelligence team, each compromised package added a preinstall script that ran a bloated, heavily obfuscated index.js loader, which then pulled down and executed a payload designed to vacuum up secrets from npm, GitHub, AWS, SSH, and other environments.

Researchers quickly linked the attack to a broader campaign based on the Mini Shai-Hulud malware, an npm-propagating worm used in earlier supply-chain incidents. In the Red Hat case, multiple reports refer to the payload as a new variant dubbed Miasma, which retains Mini Shai-Hulud's self-spreading behavior while adding more obfuscation and a multistage loading design.