31 Red Hat npm packages backdoored in 72 seconds

**Executive summary:** On June 1, 2026 ReversingLabs identified a scope-level compromise of the @redhat-cloud-services npm namespace in which an attacker automated the publication of 31 malicious package versions within a 72‑second window; each package included an identical modification (a preinstall script invoking an obfuscated index.js) that implements a three-layer payload (ROT‑N → AES‑128‑GCM → obfuscator.io) which downloads the bun runtime and executes a 634 KB credential‑stealing, worm‑capable payload — roughly 9.8 million cumulative downloads increase potential exposure; clean versions were later published but any build that ran npm install during the window should be treated as compromised and remediated per the report's recommendations.