Virtual Event Today: Cloud & Data Security Summit - Join Event In-Progress
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Supply Chain Security

Supply Chain Attack Hits 32 Red Hat NPM Packages

Hackers published 96 malicious package versions, injected with a credential-stealing worm similar to Mini Shai-Hulud.

Red Hat hacked

On Monday, hackers hit Red Hat’s NPM repository in a new supply chain attack, publishing malicious versions of 32 packages to distribute a credential-stealing worm.

Within a 72-second window, the threat actor published poisoned iterations across all 32 packages, likely using automation, ReversingLabs notes.

The affected packages cover the entire Red Hat Hybrid Cloud Console JavaScript ecosystem and have nearly 10 million collective downloads.

According to Aikido, the attackers likely compromised the CI/CD pipeline and used the GitHub Actions OIDC to publish the malicious package versions. ReversingLabs believes that the hackers had access to @redhat-cloud-services NPM scope credentials.

The packages contained a preinstall hook that led to the execution of malware during NPM install, before the package is imported or used.

The payload contains the string “Miasma: The Spreading Blight” and appears to be a variant of the Mini Shai-Hulud worm that TeamPCP used in several attacks against the open source software community over the past months.

Advertisement. Scroll to continue reading.

The hacking group released the malware’s source code last month, inviting miscreants to use it in supply chain attacks as part of a challenge.

According to Ox Security, the threat actor behind the Red Hat compromise infected a repository on May 29, likely to test its capabilities.

The malware was designed to harvest “GitHub Actions secrets, npm tokens, cloud credentials, Kubernetes and Vault material, SSH keys, Git credentials, and other sensitive files,” Socket reports.

Like Mini Shai-Hulud, it exfiltrates the collected data to an attacker-controlled server and uses a GitHub-based fallback mechanism, publishing the stolen information to newly created public repositories.

While the full scope of infection is yet unknown, Ox identified 210 repositories containing stolen credentials, suggesting that at least as many developers were infected after downloading and installing the malicious Red Hat package versions.

The malware was also observed attempting to use stolen GitHub tokens to enumerate repositories. It contains a GitHub Actions workflow modification logic and can write malicious index.js payloads into repositories/actions.

Red Hat maintainers have published clean versions of all 32 affected packages, and the malicious iterations have been removed from NPM.

Users are advised to update to a clean release as soon as possible. Anyone who installed a malicious version should consider their system and build environment compromised and should immediately rotate credentials, tokens, API keys, and other sensitive information the malware might have accessed.

Developers are also advised to check transitive dependencies, as the packages are widely used as indirect libraries, and to monitor their environments for anomalous outbound connections.

Related: IBM and Red Hat Commit $5 Billion to Secure Open Source Supply Chains Under “Project Lightwell”

Related: ‘SymJack’ Attack Turns AI Coding Agents Into Supply Chain Attack Delivery Systems

Related: Over 5,500 GitHub Repositories Infected in ‘Megalodon’ Supply Chain Attack

Related: Grafana Says Codebase and Other Data Stolen via TanStack Supply Chain Attack

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more.

Register

This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments.

Register

People on the Move

Jazz has named Sean Robinson, Rickie Goyal, Danielle Guetta, Shani Nago, and Lior Magram as VPs and Michael Calev as COO.

AJ Shipley has been appointed Chief Product Officer at CrowdStrike.

Brinqa has named Ron Dovich as Chief AI and Automation Officer, David Allen as CTO, Steve Biagioni as CFO, and James Walta as VP of Product.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.