Attackers Hijack Red Hat npm Scope to Steal Cloud Secrets

A fast-moving supply-chain attack republished 32 legitimate packages in the @redhat-cloud-services npm namespace with an obfuscated preinstall malware (a variant of the Mini Shai-Hulud/Miasma family) that steals cloud keys, CI/CD and npm tokens and attempts to propagate by republishing other packages; the malicious releases were pushed using compromised GitHub Actions OIDC tokens, affected roughly 9.8 million downloads in total, and were removed after maintainers released clean versions, but any installs pinned to those malicious versions remain at risk and require credential rotation and pipeline audits.