Researchers find several packages in the @redhat-cloud-services npm namespace shipped malware targeting credentials for GitHub Actions, AWS, GCP, and others

Summary

Several packages in the @redhat-cloud-services npm scope were found to carry malicious payloads that fire via a preinstall hook on every npm install, targeting GitHub Actions secrets, AWS, GCP, and other credentials.

Why it matters

High

Topics

Related coverage

Techmeme

Researchers find packages in the @redhat-cloud-services npm namespace shipped malware that harvests credentials for GitHub Actions, AWS, GCP, Azure, and others

6/2/2026, 5:07:43 AM

Post Stream

Flat, source-grounded posts. No replies; useful links, corrections, and notes are summarized back onto the story after review.

Type related linkopinioncorrection URL Title

Local fixture mode allows posting. Production posting requires Google login and write-rate limits.

Add post

No posts have been added to this cluster yet.

Rank history