ON June 1, 2026, eight npm packages in the @redhat-cloud-services scope were discovered to contain malicious payloads that execute via a preinstall hook during npm installations. This sophisticated multi-stage credential harvester targets sensitive data such as GitHub Actions secrets and various cloud service tokens. Analysis revealed obfuscation within the code, indicating security vulnerabilities in the RedHat Cloud Services frontend ecosystem.
The packages included versions that had anomalously large sizes due to injected malicious code. The issue was linked to compromised GitHub Actions workflows, and StepSecurity is working on coordinating remediation and further analysis of the packages.