Red Hat removes tainted packages after software pipeline compromise | The Record from Recorded Future News

Image: Unsplash+/GettyAlexander Martin<br>June 2nd, 2026<br>Red Hat removes tainted packages after software pipeline compromise<br>Red Hat pulled dozens of packages from its software distribution pipeline on Monday after attackers used a compromised GitHub account to distribute credential-stealing malware to developers.<br>According to the company’s own preliminary analysis, a compromised GitHub account was used to push the malicious code out to customers, hitting 32 packages downloaded roughly 117,000 times a week.<br>Red Hat said it had since removed the affected packages and that “based on current findings, no actions from customers are required.”<br>The attack used a variant of the Mini Shai-Hulud self-propagating worm whose complete source code was published online May 12 by a cybercriminal group tracked as TeamPCP. As cybersecurity company Tenable noted, the criminals “simultaneously announced a $1,000 contest on BreachForums for the largest supply chain attack using the code.”<br>Whether Monday's attack was carried out by TeamPCP itself or a separate actor using its published code could not be immediately determined, researchers said. Palo Alto Networks' Unit 42 warned that the open-sourcing of the worm's code had already spawned copycat activity, making definitive attribution harder, and that Mini Shai-Hulud “is no longer scoped to TeamPCP.”<br>The attack's malware, which its authors named Miasma, differed from the TeamPCP original only cosmetically, with references to the science-fiction series Dune replaced by Greek mythology while the underlying credential-stealing functionality remained intact.<br>Monday's attack is the latest in a cascading series of supply chain intrusions stretching back to September 2025 — when the original Shai-Hulud worm prompted a CISA advisory — that have struck some of the world's most widely used developer tools.<br>Recent incidents have included an attack in March on LiteLLM, which allowed the cybercriminals to breach several organizations including AI recruiting company Mercor. The attack on LiteLLM was followed by a separate wave of compromises attributed to North Korean hackers targeting the axios JavaScript library.<br>That campaign prompted Mandiant chief technology officer Charles Carmakal to warn “the secrets stolen over the past two weeks will enable more software supply chain attacks, software-as-a-service environment compromises, ransomware and extortion events, and crypto heists over the next several days, weeks, and months.”<br>In May, GitHub confirmed it had been breached by TeamPCP after an employee's device was compromised via a malicious Visual Studio Code extension, with the group demanding $50,000 for stolen source code and threatening to leak it for free if no buyer came forward.<br>OpenAI had also warned that two of its employee devices had been compromised in the same wave, following a supply chain attack on the open-source library TanStack.<br>Speaking at the time of the LiteLLM compromise, Adam Reynolds, senior security researcher at Sonatype, warned that because “the malware targets such a broad range of credentials … this creates the potential for second- and third-order effects that may ripple outward over time, leading to further breaches, service disruptions, or misuse of sensitive data well beyond the initial point of compromise.”

Cybercrime<br>Industry<br>News

Get more insights with the Recorded Future<br>Intelligence Cloud.

Learn more.

No previous article<br>No new articles

Alexander Martin<br>is the UK Editor for Recorded Future News. He was previously a technology reporter for Sky News and a fellow at the European Cyber Conflict Research Initiative, now Virtual Routes. He can be reached securely using Signal on: AlexanderMartin.79

Briefs<br>Spain arrests suspected hacker for publishing personal data of police, prosecutors and cyber officialsJune 1st, 2026<br>Canadian man gets 33 years for using social media to coerce US children into sending sexual contentMay 28th, 2026<br>Chinese-speaking fraud gang could be stealing millions from 2026 World Cup fansMay 28th, 2026<br>Romanian national sentenced to more than 4 years for hacking Oregon government systemsMay 27th, 2026<br>Dutch police arrest man over cyber breach at Ajax football clubMay 27th, 2026<br>Ukraine probes teen suspect in cyber theft scheme targeting California online shoppersMay 20th, 2026<br>Discord migrates all users to end-to-end encryption by defaultMay 20th, 2026<br>7-Eleven confirms breach after ShinyHunters claimsMay 20th, 2026<br>Texas, Florida top list of states reporting millions of dollars lost through crypto ATMsMay 20th, 2026

Iran Expands Handala Brand to Physical Threats

Quantum Risk Explained

Hacking Embodied AI

Risk Scenarios for the US’s Strategic Pivot

Critical minerals and cyber operations