Red Hat npm packages compromised with credential stealing worm

On June 1, 2026, multiple packages published under the Red Hat @redhat-cloud-services npm namespace were backdoored with a multi-stage, highly obfuscated credential-stealing worm (the Miasma variant of Mini Shai-Hulud). The malware uses preinstall scripts, layered AES obfuscation, and runtime decryptors to steal npm/GitHub/cloud credentials and secrets, self-propagate by abusing captured tokens to publish malicious packages, and deliver additional persistence and memory-dumping payloads; the report includes IOCs and supply-chain/CI/CD mitigations.