Crimes and Fraud News

Major NPM Supply Chain Attack: Hackers Infected Red Hat Packages, Steal Developer Keys

Nana K.

2 June 2026 2 min read

We explain the new crypto criminals’ scheme and how to protect yourself and your cryptocurrencies from this attack.

Researchers from SlowMist and MistEye have discovered an active supply chain attack on Red Hat packages. Attackers compromised more than 31 npm packages from the Red Hat Cloud Services line, which collectively are downloaded over 116,000 times per week.

Hot topic: Bitcoin Price Falls Near $70K As ETF Outflows Hit Sentiment

Contents

1.Scale and Consequences of the Attack
2.Danger for Crypto and Web3
3.Protection Recommendations

Scale and Consequences of the Attack

According to specialists, the attack has already affected more than 300 GitHub repositories. The malicious code steals a wide range of sensitive data, including:

GitHub and npm tokens
Cloud credentials (AWS, GCP, Azure)
SSH keys and Kubernetes secrets
Crypto wallet data and local environment information

🚨 SlowMist TI Alert 🚨

MistEye has detected an active npm supply-chain attack compromising @redhat-cloud-services packages. Reported impact includes 31+ affected packages, about 116,282 weekly downloads, and 300+ GitHub repositories containing stolen credentials. The attack… pic.twitter.com/7wEfOV2vga
— SlowMist (@SlowMist_Team) June 2, 2026

Analysts note strong similarities to the previous large-scale Shai-Hulud campaign. Hackers create fake repositories, automatically exfiltrate stolen secrets, and continue distributing infected packages.

Danger for Crypto and Web3

Such supply chain attacks are particularly dangerous for the crypto industry. Malicious code can secretly enter applications, crypto wallets, exchanges, DeFi protocols, and Web3 services through routine dependency updates. Developers using infected Red Hat packages risk leaking private keys, tokens, and cloud access credentials.

Red Hat is one of the world’s largest developers of enterprise open-source software. Compromising its packages creates risks for thousands of projects and companies worldwide.

Protection Recommendations

Experts recommend immediately:

Remove or downgrade all affected Red Hat Cloud Services packages
Audit CI/CD pipelines and dependencies
Rotate all GitHub, npm, cloud, SSH, and wallet secrets
Rebuild compromised machines and runners from clean images
Preserve logs for further investigation

SlowMist warns that the attack is still active—new suspicious repositories continue to appear.

This is not the first major supply chain attack of 2026. Earlier, similar campaigns, including TrapDoor, targeted crypto and AI project developers. The incident highlights the growing threat of dependencies in the NPM ecosystem and the need for heightened caution when using third-party libraries.

Learn more: Recommended RPC Node Providers for Web3 in 2026 — Tested Guide for TON, Celestia, and Multichain Teams