Red Hat’s npm Namespace Hijacked in Supply Chain Attack Targeting Cloud Credentials On June 1, an attacker hijacked Red Hat’s official npm namespace (@redhat-cloud-services) to distribute backdoored versions of 32 widely used packages, compromising a trusted software supply chain. The malicious releases published within a 72-second window impacted components of Red Hat’s Hybrid Cloud Console ecosystem, including UI tools, API clients, and build utilities, with a combined total of nearly 10 million downloads. Unlike typical typosquatting attacks, the threat actor took control of a legitimate namespace, replacing authentic packages with versions containing hidden malware. The payload, a variant of the Mini Shai-Hulud worm (tracked as Miasma by Aikido Security), executed via obfuscated preinstall scripts, meaning exposure occurred simply by installing or building the package regardless of whether it was used in production. The malware targeted sensitive credentials, including cloud provider keys, CI/CD tokens, and npm authentication details, while also attempting to propagate by republishing backdoored versions of other accessible packages using stolen publishing tokens. Notably, the attack exploited GitHub Actions OIDC tokens, suggesting the compromise originated in the build pipeline rather than a developer’s personal account. This method subverted "trusted publishing," a security feature designed to replace long-lived npm tokens with short-lived, build-issued credentials. The incident highlights how pipeline breaches can undermine even hardened security controls. By the time researchers analyzed the activity, Red Hat had released clean versions of all affected packages, and the malicious releases were removed from npm. However, any project that installed the compromised versions or ran an install before their removal remains at risk, as the payload executes during installation. Organizations affected were advised to treat systems as potentially compromised and rotate exposed credentials.

GitHub, npm, and VS Code Repositories Compromised by Glassworm’s Invisible Unicode Attack Researchers at Aikido Security uncovered a sophisticated campaign by the threat actor Glassworm, which compromised at least 151 GitHub repositories between March 3 and March 9 by embedding malicious payloads in invisible Unicode characters. The attack has since expanded to npm packages and the VS Code Marketplace, with additional infections detected as recently as March 12. The technique exploits Unicode Private Use Area characters (ranges `0xFE00–0xFE0F` and `0xE0100–0xE01EF`), which appear as zero-width whitespace in code editors and terminals effectively hiding malicious code in plain sight. A hidden decoder extracts these bytes and executes them via `eval()`, deploying a second-stage payload that has previously leveraged the Solana blockchain for command-and-control (C2) operations, enabling token theft, credential harvesting, and secret exfiltration. Notable targets include repositories from Wasmer, Reworm, and anomalyco (developers of OpenCode and SST). The same attack pattern was found in two npm packages and one VS Code extension, suggesting broader infiltration. Aikido Security estimates the 151 identified repositories represent only a fraction of the total, as many were deleted before analysis. Unlike previous attacks, this campaign employs subtle, context-aware modifications, such as version bumps and minor refactors, designed to blend seamlessly with legitimate code. The consistency across 151 distinct codebases suggests the use of large language models (LLMs) to automate the generation of plausible cover changes, making manual detection nearly impossible. Glassworm has been active since at least March 2025, when Aikido first documented its Unicode-based attacks in malicious npm packages. By October 2025, the group had expanded to Open VSX and GitHub repositories, leveraging stolen credentials to propagate further. Earlier research by Koi Security revealed that decoded payloads deployed hidden VNC servers and SOCKS proxies for persistent remote access. The Solana-based C2 infrastructure complicates mitigation, as blockchain transactions are immutable. The attack’s sophistication combining invisible code injection, AI-generated camouflage, and decentralized C2 poses a significant challenge for traditional security measures, particularly visual code reviews. Automated tooling capable of detecting zero-width Unicode characters is now critical for defense.