MEDIUMSupply Chain
Global

Red Hat Cloud Services npm Packages Hijacked

·Source: Sonatype (Maven/npm)

Updated:

Executive Summary

<img src="https://www.sonatype.com/hubfs/blog_miasma_npm_campaign.png" alt="Image with text "Red Hat Hijacked: Malicious Miasma npm campaign"" class="hs-featured-image" style="width:auto !important; max-width:50%; float:left; margin:0

Analysis

A new wave of malicious npm activity has been reported involving multiple packages in t he legitimate @redhat-cloud-services namespace .

Indicators of Compromise (5)

URL (3)
https://www.sonatype.com/blog/red-hat-cloud-services-npm-packages-hijacked
VirusTotalURLhaus
https://www.sonatype.com/hubfs/blog_miasma_npm_campaign.png
VirusTotalURLhaus
https://guide.sonatype.com/vulnerability/sonatype-2026-003508/components-impacted
VirusTotalURLhaus
Domain (2)
www.sonatype.com
VirusTotalURLhaus
guide.sonatype.com
VirusTotalURLhaus
Source Attribution

Originally published by Sonatype (Maven/npm) on Jun 1, 2026.

Related Threats

MEDIUMSupply Chain

Red Hat npm packages compromised to steal developer credentials

More than 30 npm packages under Red Hat's '@redhat-cloud-services' namespace were compromised in a supply-chain attack that distributed a new variant of the Shai-Hulud credential-stealing malware, dubbed "Miasma." [...]

BleepingComputer
CRITICALSupply ChainPOC

Oracle’s first monthly patch release fixes 35 flaws, including 11 rated ‘critical’

Oracle has released the first security fixes in its new monthly Critical Security Patch Update (CSPU) cycle, designed to address urgent vulnerabilities that can’t wait for the company’s quarterly patching. The initial batch addresses 35 flaws, including several for which exploit code is publicly available. In total, there are 11 flaws rated ‘critical’ , 18 rated ‘high’, and 6 ‘medium’. The most im

CVE-2026-46840CVE-2026-46775
CSO Online
MEDIUMSupply Chain

Miasma Supply Chain Attack Compromises Red Hat npm Packages with Credential-Stealing Worm

A new Mini Shai-Hulud supply chain attack campaign, codenamed Miasma, has compromised @redhat-cloud-services packages to steal credentials and secrets from developer machines and deliver a self-propagating worm. "This is effectively a Mini Shai-Hulud campaign: it uses the same core tactics of install-time execution, credential harvesting, CI/CD targeting, encrypted exfiltration, and potential

The Hacker News