A supply chain attack on the @redhat-cloud-services npm scope compromised 32 packages, reaching roughly 117,000 weekly installs. The payload steals cloud credentials, hooks AI developer tools, and self-propagates.
What happened
On June 1, 2026, Wiz Research published findings on a supply chain compromise targeting the @redhat-cloud-services npm namespace. At least 32 packages, spanning 96 released versions, contained a malicious preinstall payload. Cumulatively, those packages see roughly 117,000 downloads per week.
The attack started with a Red Hat employee's GitHub account. That account was used to push malicious orphan commits to two RedHatInsights repositories without triggering code review. From there, the attackers exploited a structural gap in npm's trusted publishing: GitHub Actions OIDC tokens are short-lived and scoped per-job, but in this case they were abused to mint provenance-attested npm publishes that looked, to npm's verification layer, like legitimate Red Hat CI runs. Valid attestation does not mean clean code.
What the payload does
The payload runs via npm's preinstall hook, which fires before any user-defined install steps. It executes obfuscated JavaScript that harvests credentials and secrets stored on the developer's machine, cloud identity tokens for AWS, GCP, and Azure, and any npm tokens the compromised developer can publish with.
The worm then tries to spread: it iterates over npm packages the infected developer has publish rights on and injects itself into their releases.
New in this variant is an explicit focus on AI developer tooling. The payload installs hooks into Claude, OpenAI Codex, Google Gemini, GitHub Copilot, Kiro, and opencode. The goal is to intercept API credentials for those tools and the code context being passed to them. AI session context is now an explicit exfiltration target.
There is also a destructive failsafe. A component named gh-token-monitor watches stolen GitHub tokens. If it detects a token has been revoked, it can execute destructive commands, including wiping the user's home directory.
The payload installs as a persistent service: kitty-monitor.service on Linux, com.user.kitty-monitor.plist on macOS.
The underlying malware derives from TeamPCP's Mini Shai-Hulud, an open-source worm that targeted the npm ecosystem in May 2026. The Miasma variant swaps Dune-universe references for Greek mythology and adds cloud-identity and AI-tooling collectors, but the core technique is the same.
Who is affected
Any developer or CI system that installed an @redhat-cloud-services package between late May 2026 and June 1, 2026. npm has yanked the affected versions. If your machine or CI runner installed one of these packages during that window, treat it as compromised.
What to do
Audit node_modules for any @redhat-cloud-services install timestamps in the affected window. Rotate all credentials that may have been present on those machines: npm tokens, AWS/GCP/Azure identity tokens, AI API keys (OpenAI, Anthropic, Google), and GitHub personal access tokens. Check for the persistence services kitty-monitor.service or com.user.kitty-monitor.plist. Review your GitHub Actions OIDC configuration: ensure OIDC tokens are scoped to the minimum necessary permissions and that trusted publishing workflows cannot be triggered from orphan branches.
The CI/CD trust model problem
The deeper issue here is not a compromised package, it is that provenance attestation in npm was bypassed through the CI/CD layer rather than broken. npm's trusted publishing verifies that a package was built by a specific workflow in a specific repository. It does not verify that the workflow was not itself tampered with via a compromised account.
This is the same class of problem that surfaced in the SolarWinds build system compromise and in the xz-utils backdoor: the trust chain extends to the build environment, and if an attacker controls a commit in that environment, the rest of the chain is moot.
Until npm and GitHub provide stronger controls around orphan branch pushes and commit-level signing from verified identities, provenance attestation is a floor, not a ceiling.
Gigia Tsiklauri is a Security Architect and founder of Infosec.ge. Get in touch if you run a development platform or security function affected by npm supply chain risk.