Enterprise npm Scopes Are Being Hijacked
On June 1, 2026, unauthorized commits were pushed to repositories in the RedHatInsights GitHub organization and used to publish malicious versions of 32 packages under the @redhat-cloud-services npm scope. The campaign, tracked as Miasma, delivers a 4.2MB obfuscated payload through an npm preinstall hook — the moment any of these packages is installed, the payload executes before the application code runs.
The payload targets five categories of credentials and infrastructure: CI/CD systems (Jenkins, GitHub Actions, GitLab CI), cloud identities (AWS, Azure, GCP service accounts), GitHub credentials (tokens, SSH keys), npm publishing workflows (enabling further supply chain propagation), and — notably — AI developer tooling (API keys, model configurations, development environment secrets for AI platforms).
Why AI Tooling Is a Target
Miasma is the first supply chain campaign to explicitly target AI developer tooling — Gemini API keys, OpenAI tokens, Anthropic credentials, model configuration files, and development environment variables used to interact with AI services. These credentials are valuable because AI API access is expensive and metered. Stolen AI API keys can be used to run compute-intensive workloads on the victim's account, generating bills that run into thousands of dollars before the theft is detected.
More concerning: AI API keys often have broad permissions. A stolen Gemini API key does not just allow text generation — it may allow access to fine-tuned models, training data, and conversation histories. In enterprise environments where AI tools are integrated into business workflows, stolen API credentials provide access to proprietary data and decision processes.
The Enterprise npm Scope Problem
The @redhat-cloud-services scope is an enterprise namespace — packages published under this scope are implicitly trusted by organizations deploying Red Hat cloud infrastructure. Enterprise developers install @redhat-cloud-services packages without the scrutiny they might apply to unknown packages because the scope name signals organizational authority. This trust model is the attack surface.
The attack succeeded because the GitHub organization's access controls were insufficient to prevent unauthorized commits. Once commits reached the repository, the npm publishing workflow ran automatically — CI/CD automation became the attack vector. The same automation that enables rapid, reliable software delivery enabled rapid, reliable malware delivery.
Simultaneous Campaigns
Miasma is not isolated. It arrived during the same period as the Shai-Hulud worm (170+ packages, 518M downloads, SLSA provenance defeated) and the TrapDoor campaign — the first to simultaneously weaponize npm, PyPI, and Crates.io with runtime-specific execution paths. Three distinct supply chain campaigns running concurrently across the JavaScript and Python ecosystems. The supply chain attack is no longer an occasional event. It is a sustained, multi-front offensive.
What Organizations Should Do
Audit @redhat-cloud-services package versions immediately. Check npm lock files for unexpected version bumps. Rotate any AI API keys, cloud credentials, and GitHub tokens on systems where affected packages were installed. Implement package pinning and integrity verification in CI/CD pipelines — npm preinstall hooks should be audited or disabled for untrusted packages. The era of trusting enterprise namespace packages by default is over.


