RiskEvents
MonitoringLow impactAI Refreshed

Red Hat npm Packages Compromised in Supply-Chain Credential Attack

Occurred 1 May 2026·Detected 1 Jun 2026·
🇺🇸 Global supply-chain attack via Red Hat npm namespace; Red Hat headquartered in US5 reports
CyberTrade DisruptionPropertyCyberCasualty & Liability

A supply-chain attack compromised more than 30 npm packages in Red Hat's '@redhat-cloud-services' namespace, distributing 'Miasma' credential-stealing malware, a variant of the Shai-Hulud worm. A related and rapidly contained incident saw Microsoft remove 73 GitHub repositories across Azure, microsoft, Azure-Samples, and MicrosoftDocs organisations, with Microsoft reporting containment within 105 seconds and full restoration, exposing a 'small number' of customers. The Miasma/Shai-Hulud toolkit was subsequently published publicly on GitHub, and researchers separately identified IronWorm, a Rust-based npm-targeting infostealer with self-propagation and credential-theft capabilities. No named insured commercial losses, financial loss estimates, claims, or notices of circumstance have been reported.

AI-generated from linked source reports. See our correction policy.

Impact verdict

Low impact. The combined Red Hat npm compromise, Microsoft GitHub repository incident, public release of the Miasma toolkit, and emergence of IronWorm demonstrate escalating, cross-ecosystem reach of credential-stealing worms into hyperscale cloud and developer-tooling environments. However, no concrete London Market loss pathway is evidenced: no named insured commercial entities have confirmed losses, no financial loss estimates have been published, and no claims, reserving, or underwriting actions are referenced. Microsoft's 105-second containment and full repository restoration, combined with only a 'small number' of potentially exposed customers, further limit near-term insured loss exposure. The event remains a watch-list item for cyber underwriters monitoring developer toolchain exposures but does not meet the threshold for MEDIUM without confirmed downstream insured losses.

View assessment methodology

How we grade what we know -- Known · Reported · Uncertain. Methodology →

Intelligence ledger

Each line expands in place to its underlying sourced claim.

AI refreshed 14 Jun 2026, 08:09

Known10 lines

30+ npm packages under Red Hat's '@redhat-cloud-services' namespace were compromised
structured lineknown
No separate sourced-claim record is available for this line yet.
Attack distributed a new variant of credential-stealing malware called 'Miasma' (a variant of 'Shai-Hulud')
structured lineknown
No separate sourced-claim record is available for this line yet.
Attack classified as a supply-chain compromise
structured lineknown
No separate sourced-claim record is available for this line yet.
The Miasma supply-chain attack toolkit was published publicly on GitHub, broadening access to offensive supply-chain capabilities for threat actors.
miasma_toolkit_public_releasesystemic exposure signalvalid from 9 Jun 2026, 19:15Cyber
Market relevance: Public release of offensive tooling lowers barriers for supply-chain attacks; relevant to cyber systemic risk monitoring.
Miasma supply-chain attack toolkit goes public on GitHub” — theregister.com · 9 Jun 2026, 19:15 · mainstream media
The credential-stealing malware distributed in the Red Hat npm compromise is dubbed 'Miasma' and is a variant of the 'Shai-Hulud' worm family.
malware_family_miasma_shai_huludthreat landscape updatevalid from 1 Jun 2026, 22:44Cyber
Market relevance: Threat-actor capability and tooling classification relevant to cyber underwriting.
distributed a new variant of the Shai-Hulud credential-stealing malware, dubbed 'Miasma.'” — BleepingComputer · 1 Jun 2026, 21:38 · trade media
More than 30 npm packages under Red Hat's '@redhat-cloud-services' namespace were compromised in a supply-chain attack.
redhat_npm_packages_compromised_countwatch list monitorvalid from 1 Jun 2026, 22:44Cyber
Market relevance: Cyber underwriters monitoring developer toolchain supply-chain exposure.
More than 30 npm packages under Red Hat's '@redhat-cloud-services' namespace were compromised in a supply-chain attack that distributed a new variant of the Shai-Hulud credential-stealing malware, dubbed 'Miasma.'” — BleepingComputer · 1 Jun 2026, 21:38 · trade media
Supersession history: 1 prior/revised claim rows.
Microsoft removed 73 GitHub repositories across its Azure, microsoft, Azure-Samples, and MicrosoftDocs organisations after a supply-chain compromise linked to the Miasma/Shai-Hulud campaign.
microsoft_github_repos_removedwatch list monitorvalid from 9 Jun 2026, 15:50Cyber
Market relevance: Hyperscale cloud vendor incident elevates supply-chain concern for cyber underwriters.
Microsoft removed 73 repositories across its Azure, microsoft, Azure-Samples, and MicrosoftDocs organizations on GitHub, disrupting continuous integration pipelines.” — BleepingComputer · 9 Jun 2026, 15:42 · trade media
Supersession history: 1 prior/revised claim rows.
Microsoft reported the GitHub repository incident was contained within 105 seconds and all repositories have since been restored.
microsoft_containment_timingseverity floorvalid from 9 Jun 2026, 15:50Cyber
Market relevance: Rapid containment limits insured loss pathway from the Microsoft-side incident.
The incident occurred on June 5, and it was contained within just 105 seconds.” — BleepingComputer · 9 Jun 2026, 15:42 · trade media
The malware distributed via the compromised Red Hat npm packages is dubbed 'Miasma' and is identified as a variant of the 'Shai-Hulud' credential-stealing malware family.
malware_family_identificationcontextvalid from 1 Jun 2026, 22:44cyber
Market relevance: Identifies a known, worm-capable credential-stealer lineage active across npm and other ecosystems, relevant to cyber accumulation modelling.
distributed a new variant of the Shai-Hulud credential-stealing malware, dubbed 'Miasma.'” — BleepingComputer · 10 Jun 2026, 02:58
The event is in 'active' lifecycle status as of the latest RiskEvents refresh, promoted from 'developing' following corroboration signals.
event_lifecycle_activestatus updatevalid from 14 Jun 2026, 05:20Cyber
Market relevance: Lifecycle tracking for cyber underwriter situational awareness.
evidence_trigger: developing_promotion” — Source · 14 Jun 2026, 08:09

Reported9 lines

The malware is designed to steal developer credentials
structured linereported
No separate sourced-claim record is available for this line yet.
Red Hat's npm namespace was used as the attack vector
structured linereported
No separate sourced-claim record is available for this line yet.
Security researchers identified IronWorm, a Rust-based information-stealing malware with self-propagation capabilities targeting npm packages and developer environments, abusing trusted publishing workflows to compromise GitHub and npm and steal credentials from cloud, CI/CD, and Kubernetes environments.
ironworm_npm_malware_identifiedthreat landscape updatevalid from 13 Jun 2026, 21:12Cyber
Market relevance: Emerging Rust-based npm-targeting infostealer reinforces systemic supply-chain risk for cyber underwriters.
IronWorm is a Rust-based infostealer with self-propagation capabilities. It steals developer secrets, abuses GitHub and npm workflows, uses Tor for C2 communications, and reportedly leverages an eBPF rootkit for stealth.” — r/cybersecurityindia · 6 Jun 2026, 19:05 · social community
IronWorm Supply Chain Malware Hits npm” — r/blueteamsec · 5 Jun 2026, 04:21 · social community
Reporting links the same Miasma/Shai-Hulud credential-stealing worm campaign to compromises across npm (Red Hat), PyPI packages, and GitHub (Microsoft), indicating escalating cross-ecosystem supply-chain risk.
cross_ecosystem_supply_chain_spreadwatch listvalid from 9 Jun 2026, 15:50cyber
Market relevance: Cross-ecosystem worm behaviour is an accumulation concern for cyber underwriters with exposure to open-source and CI/CD-dependent insureds.
The attack follows similar compromises of Red Hat npm packages and PyPI packages, highlighting escalating supply-chain risk across open-source ecosystems.” — BleepingComputer · 10 Jun 2026, 02:58
The Miasma malware targets developer credentials, potentially exposing downstream enterprise environments.
attack_vector_developer_credentialssystemic exposure signalvalid from 1 Jun 2026, 22:44Cyber
Market relevance: Developer credential theft is a systemic exposure for cyber insurers writing tech, cloud, and SaaS risks.
The attack targets developer credentials, potentially exposing downstream enterprise environments.” — BleepingComputer · 1 Jun 2026, 21:38 · trade media
Microsoft indicated a 'small number' of customers may have been potentially exposed to compromised content from the affected GitHub repositories.
microsoft_potentially_exposed_customersseverity floorvalid from 9 Jun 2026, 15:50Cyber
Market relevance: Limited named customer exposure reduces near-term insured loss pathway.
all repositories have since been restored, but it exposed a 'small number' of customers who may have pulled compromised content.” — BleepingComputer · 9 Jun 2026, 15:42 · trade media
The Microsoft GitHub repository incident exposed a 'small number' of customers who may have pulled compromised content.
microsoft_github_potential_customer_exposurewatch listvalid from 9 Jun 2026, 15:50cyber
Market relevance: Provides an upper-bound on potential downstream insured exposure from the Microsoft-side incident; described only qualitatively as a 'small number'.
it exposed a 'small number' of customers who may have pulled compromised content.” — BleepingComputer · 10 Jun 2026, 02:58
Microsoft reported the supply-chain compromise incident on its GitHub repositories was contained within 105 seconds, and all repositories have since been restored.
microsoft_github_containment_timecontextvalid from 9 Jun 2026, 15:50cyber
Market relevance: Rapid containment at a hyperscale vendor reduces likelihood of material insured loss flowing from the Microsoft-side portion of the campaign.
The incident occurred on June 5, and it was contained within just 105 seconds.” — BleepingComputer · 10 Jun 2026, 02:58
The Miasma malware is designed to steal developer credentials from compromised developer environments.
attack_vector_credential_theftwatch listvalid from 1 Jun 2026, 22:44cyber
Market relevance: Credential theft from developer environments is a precursor to downstream cloud and code-repository intrusions; relevant to cyber accumulation risk.
The attack targets developer credentials, potentially exposing downstream enterprise environments.” — BleepingComputer · 10 Jun 2026, 02:58

Uncertain7 lines

Scale of downstream enterprise exposure and number of affected organizations
structured lineuncertain
No separate sourced-claim record is available for this line yet.
Whether any named insured commercial entities have confirmed losses or breaches
structured lineuncertain
No separate sourced-claim record is available for this line yet.
Whether any cyber insurers have received claims or notices of circumstance
structured lineuncertain
No separate sourced-claim record is available for this line yet.
Duration of compromise and total credentials exfiltrated
structured lineuncertain
No separate sourced-claim record is available for this line yet.
The scale of downstream enterprise exposure and the number of affected organisations from the Red Hat npm compromise remain unconfirmed.
downstream_exposure_uncertainuncertainty floorvalid from 14 Jun 2026, 05:20Cyber
Market relevance: Limits ability to convert supply-chain compromise into a quantifiable London Market loss estimate.
potentially exposing downstream enterprise environments” — BleepingComputer · 1 Jun 2026, 21:38 · trade media
The scale of downstream enterprise exposure, the number of affected organizations, the duration of the compromise, and the total number of credentials exfiltrated remain unconfirmed.
downstream_exposure_scale_uncertainwatch listvalid from 9 Jun 2026, 15:50cyber
Market relevance: Key open variables for any future cyber accumulation assessment tied to the Miasma/Shai-Hulud worm.
potentially exposing downstream enterprise environments” — BleepingComputer · 10 Jun 2026, 02:58
No named insured commercial losses, financial loss estimates, claims, or notices of circumstance have been reported in connection with the Red Hat npm compromise or the related Microsoft GitHub repository incident.
no_named_insured_losses_reportedseverity floorvalid from 14 Jun 2026, 05:20Cyber
Market relevance: Absence of confirmed insured loss evidence supports low potential_impact banding.
a 'small number' of customers who may have pulled compromised content” — BleepingComputer · 9 Jun 2026, 15:42 · trade media
no named insured commercial assets, confirmed financial losses, or direct claims activity has been reported” — BleepingComputer · 1 Jun 2026, 21:38 · trade media
Supersession history: 1 prior/revised claim rows.

Geographic Zone Matches

3 active matches

  • TRIA Certified Areas
    Rule-basedConfidence 100%
  • Pacific Ring of Fire
    Rule-basedConfidence 100%
  • Caribbean Hurricane Zone
    Rule-basedConfidence 100%

Geographic zone matches are RiskEvents spatial/analytical indicators, not coverage determinations or Lloyd's official classifications.

Affected countries

🇺🇸 United States

Latest developments

  • More than 30 Red Hat '@redhat-cloud-services' npm packages were compromised in the Miasma supply-chain attack. BleepingComputer
  • The Red Hat npm attack distributed 'Miasma' malware, a variant of the Shai-Hulud credential-stealing worm. BleepingComputer
  • Miasma targets developer credentials, with potential downstream enterprise exposure. BleepingComputer
  • Microsoft removed 73 GitHub repositories across Azure, microsoft, Azure-Samples, and MicrosoftDocs following a Miasma/Shai-Hulud-linked compromise. BleepingComputer
  • Microsoft contained the GitHub incident within 105 seconds and has restored all affected repositories. BleepingComputer
  • A 'small number' of Microsoft customers may have been potentially exposed to compromised repository content. BleepingComputer
  • The Miasma supply-chain attack toolkit was released publicly on GitHub, broadening threat-actor access. theregister.com
  • Researchers identified IronWorm, a Rust-based npm-targeting credential stealer with self-propagation capabilities. r/cybersecurityindia

Timeline

Status Change14 Jun 2026, 11:30

Status changed to monitoring

Auto-transitioned: no updates for 6 hours

active -> monitoring

Intelligence Refresh14 Jun 2026, 08:09
Status Change14 Jun 2026, 05:20

Status changed to active

evidence_trigger: developing_promotion

developing -> active

Corroboration14 Jun 2026, 05:20

A supply-chain attack toolkit named 'Miasma' has been published publicly on GitHub, making offensive cyber capabilities broadly available to threat actors. The release lowers the barrier for conducting software supply-chain compromises, which are a significant concern for cyber underwriters monitoring systemic exposure across software dependencies and CI/CD pipelines. No specific attacks or insured losses are reported in connection with the toolkit's release.

Source: theregister.com (Mainstream Media) · View source

Corroboration13 Jun 2026, 21:12

Security researchers have identified IronWorm, a Rust-based information-stealing malware with self-propagation capabilities targeting npm packages and developer environments. It abuses trusted publishing workflows to compromise GitHub and npm, stealing credentials from cloud, CI/CD, and Kubernetes environments. While a significant cyber threat, there is no evidence of insured losses, specific corporate victims, or active exploitation campaigns causing material claims.

Source: r/cybersecurityindia (Social / Community) · View source

Status Change13 Jun 2026, 21:08

Status changed to developing

evidence_trigger: corroboration >= 2

signal -> developing

Corroboration13 Jun 2026, 21:08

A new supply chain malware named IronWorm has been discovered targeting the npm package registry, potentially affecting downstream JavaScript developers and organizations. Supply chain attacks on widely-used package managers can cascade into significant cyber insurance claims across multiple sectors. The incident highlights ongoing risk to organizations dependent on open-source software dependencies.

Source: r/blueteamsec (Social / Community) · View source

Intelligence Refresh10 Jun 2026, 02:58
Corroboration9 Jun 2026, 15:50

Microsoft removed 73 GitHub repositories across its Azure, microsoft, Azure-Samples, and MicrosoftDocs organizations after a supply-chain compromise linked to the Miasma/Shai-Hulud credential-stealing worm campaign. The incident was contained within 105 seconds and all repositories have since been restored, but it exposed a 'small number' of customers who may have pulled compromised content. The attack follows similar compromises of Red Hat npm packages and PyPI packages, highlighting escalating supply-chain risk across open-source ecosystems.

Source: BleepingComputer (Trade Media) · View source

Initial Detection1 Jun 2026, 22:44

Initial Detection

More than 30 npm packages under Red Hat's '@redhat-cloud-services' namespace were compromised in a supply-chain attack distributing credential-stealing malware dubbed 'Miasma.' The attack targets developer credentials, potentially exposing downstream enterprise environments. While the technical scope is significant, no named insured commercial assets, confirmed financial losses, or direct claims activity has been reported.

More than 30 npm packages under Red Hat's '@redhat-cloud-services' namespace were compromised in a supply-chain attack that distributed a new variant of the Shai-Hulud credential-stealing malware, dubbed 'Miasma.'

Source: BleepingComputer (Trade Media) · View source

Lloyd's classifications

Tracking this kind of risk? Get an email when Cyber events escalate.

Get alerts
← Back to live events