Skip to content
Security & Trust

Miasma: RedHat npm Scope Hijacked to Target CI/CD, Cloud Credentials, and AI Dev Tooling

32 packages under @redhat-cloud-services compromised. A 4.2MB obfuscated payload executes on install, targeting GitHub credentials, npm tokens, cloud identities, and AI developer tools specifically.

· 5 min read
Share on X LinkedIn
Miasma: RedHat npm Scope Hijacked to Target CI/CD, Cloud Credentials, and AI Dev Tooling

Enterprise npm Scopes Are Being Hijacked

On June 1, 2026, unauthorized commits were pushed to repositories in the RedHatInsights GitHub organization and used to publish malicious versions of 32 packages under the @redhat-cloud-services npm scope. The campaign, tracked as Miasma, delivers a 4.2MB obfuscated payload through an npm preinstall hook — the moment any of these packages is installed, the payload executes before the application code runs.

The payload targets five categories of credentials and infrastructure: CI/CD systems (Jenkins, GitHub Actions, GitLab CI), cloud identities (AWS, Azure, GCP service accounts), GitHub credentials (tokens, SSH keys), npm publishing workflows (enabling further supply chain propagation), and — notably — AI developer tooling (API keys, model configurations, development environment secrets for AI platforms).

32 under @redhat-cloud-services
Packages compromised
Published via unauthorized commits to RedHatInsights GitHub org. Source: Upwind, June 2026.
4.2MB obfuscated
Payload size
Executes via npm preinstall hook before application code. Source: Upwind, June 2026.
57+ NPM packages, 300+ malicious versions
Identified malicious packages
By June 5, expanding scope of campaign. Source: Unit42 (Palo Alto Networks), June 2026.

Why AI Tooling Is a Target

Miasma is the first supply chain campaign to explicitly target AI developer tooling — Gemini API keys, OpenAI tokens, Anthropic credentials, model configuration files, and development environment variables used to interact with AI services. These credentials are valuable because AI API access is expensive and metered. Stolen AI API keys can be used to run compute-intensive workloads on the victim's account, generating bills that run into thousands of dollars before the theft is detected.

More concerning: AI API keys often have broad permissions. A stolen Gemini API key does not just allow text generation — it may allow access to fine-tuned models, training data, and conversation histories. In enterprise environments where AI tools are integrated into business workflows, stolen API credentials provide access to proprietary data and decision processes.

The Enterprise npm Scope Problem

The @redhat-cloud-services scope is an enterprise namespace — packages published under this scope are implicitly trusted by organizations deploying Red Hat cloud infrastructure. Enterprise developers install @redhat-cloud-services packages without the scrutiny they might apply to unknown packages because the scope name signals organizational authority. This trust model is the attack surface.

The attack succeeded because the GitHub organization's access controls were insufficient to prevent unauthorized commits. Once commits reached the repository, the npm publishing workflow ran automatically — CI/CD automation became the attack vector. The same automation that enables rapid, reliable software delivery enabled rapid, reliable malware delivery.

Simultaneous Campaigns

Miasma is not isolated. It arrived during the same period as the Shai-Hulud worm (170+ packages, 518M downloads, SLSA provenance defeated) and the TrapDoor campaign — the first to simultaneously weaponize npm, PyPI, and Crates.io with runtime-specific execution paths. Three distinct supply chain campaigns running concurrently across the JavaScript and Python ecosystems. The supply chain attack is no longer an occasional event. It is a sustained, multi-front offensive.

3 major: Miasma, Shai-Hulud, TrapDoor
Concurrent campaigns (May-June 2026)
Simultaneous multi-ecosystem supply chain attacks. Source: Phoenix Security, June 2026.

What Organizations Should Do

Audit @redhat-cloud-services package versions immediately. Check npm lock files for unexpected version bumps. Rotate any AI API keys, cloud credentials, and GitHub tokens on systems where affected packages were installed. Implement package pinning and integrity verification in CI/CD pipelines — npm preinstall hooks should be audited or disabled for untrusted packages. The era of trusting enterprise namespace packages by default is over.

Share this insight