Red Hat NPM Packages Backdoored in Supply Chain Attack
Attackers compromised a Red Hat employee's GitHub account and CI/CD pipeline to publish 96 malicious versions of 32 @redhat-cloud-services NPM packages. The Miasma credential-stealing worm (Mini Shai-Hulud variant) was injected via preinstall hook. Packages had nearly 10M downloads; over 200 downstream repos exposed harvested credentials.
A supply chain attack compromised 32 official @redhat-cloud-services NPM packages, resulting in the publication of 96 malicious versions that collectively received nearly 10 million downloads. The incident exposed GitHub secrets, NPM tokens, cloud credentials, and SSH keys from affected build environments and downstream repositories, with public reporting indicating that more than 200 downstream projects had credentials harvested by the embedded malware.
According to reporting from SecurityWeek, attackers first gained control of a Red Hat employee’s GitHub account and the associated CI/CD pipeline. They then injected the Miasma credential-stealing worm, identified as a Mini Shai-Hulud variant, through a malicious preinstall hook. The compromised packages remained available on the NPM registry until discovered and removed. Industry research from sources such as DoxxScan™ continuous monitoring indicates that credential leaks of this nature frequently appear in subsequent underground markets within days of initial exposure.
For executives and high-net-worth families, the breach underscores how seemingly distant open-source supply chain compromises can rapidly translate into personal and corporate risk. Corporate credentials stolen from developer workstations or CI environments are often reused for personal cloud accounts, password managers, or home infrastructure. When those credentials surface on dark web marketplaces, the same data enables targeted account takeovers, business email compromise, and physical security threats against family members.
The doxxing and identity-chain implications extend further. Harvested SSH keys and cloud tokens frequently link to GitHub handles, email addresses, and infrastructure that can be correlated with personal domains, family addresses, and children’s online profiles. Once a single handle is tied to real-world identity, adversaries can expand the chain across social media, gaming platforms, and data broker records, accelerating doxxing campaigns that expose home addresses, phone numbers, and travel patterns.
What to do
- Run a DoxxScan to map every link between your corporate and personal handles, emails, phone numbers, and real identity, followed by no-subscription cleanup of exposed records.
- Rotate every password and token used at Red Hat or any @redhat-cloud-services NPM package and eliminate reuse across both corporate and personal systems, then enable 2FA through an authenticator app rather than SMS.
- Enable continuous DoxxScan monitoring across 15.4B+ breach records and 100+ platforms so the next credential leak is identified and addressed within hours rather than months.
- Cover the entire household with DoxxScan family coverage that extends protection to dependents and children’s gaming accounts, which often chain back to the same email addresses or home networks exposed in developer breaches.
- For executives, layer on hands-on remediation specialists who can execute takedown requests across data brokers and underground forums where harvested cloud credentials typically migrate.
The incident demonstrates that supply chain attacks now move at machine speed, turning one compromised developer account into thousands of exposed identities within days. Organizations and families that treat credential hygiene and identity mapping as continuous disciplines will maintain advantage; those that treat breaches as isolated events will remain permanently behind. DoxxScan by GalaxyWarden delivers that discipline through continuous monitoring across 15.4B+ breach records and 100+ platforms, AI-powered identity-chain mapping, hands-on remediation by specialists, and family coverage that explicitly includes children’s gaming accounts vulnerable to the same credential cascades seen in this Red Hat incident.
Related breaches
Cushman & Wakefield confirms vishing attack and Salesforce data breach
Commercial real estate firm Cushman & Wakefield confirmed a security incident triggered by a vishing…
Match Group (Tinder, Hinge, OkCupid) Data Breach — January 2026
ShinyHunters claimed responsibility for stealing over 10 million Match Group user records in early 2…
Everest ransomware claims breach of Liberty Mutual insurance data
The Everest ransomware group listed Liberty Mutual on its leak site, claiming theft of over 100 GB o…
A breach leaks your credentials. Then hackers chain those credentials to your address, family, phone, and employer using public broker sites. We’re the only tool built around that chain.
⚠ Were you in this breach?
Free email scanner. We check your address against 15.4B+ leaked records in 15 seconds — then show you the $19 cleanup that removes you from the broker sites aggregating leaked data.
Check my email — free →