In 2025, security firms Aikido and OX Security identified a significant supply chain attack targeting over 30 Red Hat npm packages within Red Hat's @redhat-cloud-services namespace. These packages, with approximately 117,000 weekly downloads, were used to distribute credential-stealing malware. These attacks are associated with a series of CVEs from 2025, including CVE-2025-10894, CVE-2025-59037, and CVE-2025-59140, highlighting specific vulnerabilities exploited.
Red Hat responded swiftly, removing the affected packages from the npm registry and initiating an investigation. The compromise was contained to internal development tooling. Red Hat confirmed no malicious code reached customer-facing services via console.redhat.com, nor were production systems or customer/partner environments impacted. This containment shows that Red Hat's internal version pinning and quick response prevented a wider compromise.
The Incident: Red Hat npm Packages Backdoored
The attack chain highlights a critical vulnerability in CI/CD pipelines, specifically the abuse of trusted publishing mechanisms. The process unfolded in several stages:
Initial Compromise: Attackers allegedly compromised a Red Hat employee's GitHub account, likely through phishing or credential stuffing.
Malicious Commits: Using the compromised developer account, attackers pushed malicious commits directly to multiple repositories. This step often bypasses standard code review if the account holds elevated privileges.
How a Compromised GitHub Account Weaponized Trusted Publishing
GitHub Actions Workflow Injection: These commits introduced a new GitHub Actions workflow and an associated script. This workflow was configured to execute within the CI/CD process. For best practices on securing your CI/CD, refer to GitHub's security hardening guides for Actions.
OIDC Token Request: The injected workflow utilized the id-token: write permission. This permission allows a GitHub Actions workflow to request a short-lived OpenID Connect (OIDC) token from GitHub. This token is then used to authenticate directly with npm's trusted publishing endpoint.
Trusted Publishing Abuse: The script executed _index.js, passing target packages via the OIDC_PACKAGES environment variable. Authenticating with the OIDC token, it released backdoored versions of the Red Hat npm packages as a legitimate publisher.
Malware Delivery: The compromised Red Hat npm packages contained a malicious preinstall script: "preinstall": "node index.js". This configuration meant that merely installing the package would trigger the malware's execution.
This incident shows a significant shift in how supply chain attacks work. Trusted publishing, designed to enhance security by eliminating long-lived npm tokens, was instead exploited as a direct conduit for malware. The system functioned as intended; the vulnerability lay in the initial point of trust—the compromised developer account itself.
Miasma: The Spreading Blight
The payload is a credential-stealing malware. This `index.js` payload, approximately 4.2 MB in size, is engineered to target a broad spectrum of sensitive information:
- GitHub Actions secrets
- AWS credentials
- Google Cloud credentials
- Azure service principal credentials
- HashiCorp Vault tokens
- Kubernetes service account tokens
- npm and PyPI publishing tokens
- SSH keys
- Docker credentials
- GPG keys
.envfiles
Even one stolen credential can give attackers deep access to a developer's entire environment. The malware, which utilizes the string "Miasma: The Spreading Blight" as comments in compromised GitHub repositories, shares structural similarities with other credential-stealing frameworks. The TeamPCP threat group publicly released the Mini Shai-Hulud malware framework source code in May. OX Security analysis indicates this malware incorporates additional obfuscation, multi-stage payload delivery, and enhanced data theft capabilities. At the time of writing, 309 GitHub repositories were compromised by this campaign, many linked to the initial compromise of Red Hat npm packages.
Resolution, Mitigation, and Future Outlook
The incident officially closed on 2025-12-12, following collective action from upstream projects and ecosystems that halted the campaigns. GitHub has since announced upcoming security enhancements for npm, a necessary step. Red Hat continues threat monitoring, and their extensive use of version pinning proved crucial in this scenario.
However, this incident clearly shows how supply chain risks are evolving. If you installed any affected versions of the @redhat-cloud-services packages, or any package implicated in the broader credential-stealing malware campaigns (as listed in the Red Hat Customer Portal advisory), immediate action is required to secure your systems from the impact of these compromised Red Hat npm packages.
Organizations that installed any affected versions are strongly advised to immediately rotate all credentials, secrets, and tokens utilized by code on any potentially infected device. This includes cloud provider credentials, SSH keys, CI/CD tokens, and any publishing tokens. Assume compromise and take immediate action.
This Red Hat incident serves as a critical case study, underscoring a fundamental shift in the attack surface: the developer's identity and the CI/CD pipeline are now primary targets. It reinforces the imperative to secure these 'trusted pathways' with the same rigor applied to production environments, moving beyond merely scanning for malicious packages to fortifying the entire development lifecycle against identity-based exploitation, as seen with the Red Hat npm packages.
