credential theft2 articles
Red Hat npm Packages Backdoored in Supply Chain Attack Stealing Cloud Credentials
Over 30 npm packages under Red Hat's '@redhat-cloud-services' namespace were backdoored in a supply-chain attack, after attackers compromised a Red Hat employee's GitHub account and used it to publish malicious package versions containing credential-stealing malware. The malware, dubbed "Miasma," is a variant of the Shai-Hulud framework and was designed to steal a wide range of sensitive data including cloud credentials, SSH keys, CI/CD tokens, and environment files from developers who installed the affected packages. Red Hat removed the compromised packages and stated that they were limited to internal development tooling with no confirmed impact on customer environments, though the investigation remains ongoing.
How One Unrotated Token Gave Hackers Access to Grafana's Codebase
Grafana's data breach stemmed from a single GitHub workflow token that was accidentally missed during a credential rotation following the TanStack npm supply-chain attack, in which malicious packages infected with credential-stealing malware exfiltrated tokens from Grafana's CI/CD environment. The overlooked token allowed attackers to access private repositories, from which they stole source code and internal business contact information, though no customer production data or systems were compromised. Grafana confirmed that its codebase was not modified during the incident, meaning downloaded code remains safe, and users are not required to take any action.