Red Hat's official NPM channel compromised, dozens backdoored
Original: Dozens of Red Hat packages backdoored through its official NPM channel
Why This Matters
Major supply-chain attack targeting trusted enterprise packages highlights growing security risks
Security researchers discovered over 30 Red Hat packages on NPM were compromised with malware called Shai-Hulud. The attack began Monday through @redhat-cloud-services channel, stealing credentials and spreading to other systems during package installation.
Threat actors compromised Red Hat's official @redhat-cloud-services NPM namespace and injected malicious code into over 30 packages. The malware, identified as Shai-Hulud worm, executes during npm install process before developers actually use the packages. Security firm Aikido reported the attack was active at time of publication. The payload steals GitHub action secrets, npm tokens, Kubernetes credentials, and other cloud service data. Socket researchers noted the worm encrypts stolen credentials and transmits them via web requests, with fallback publishing to compromised GitHub repositories. Shai-Hulud was previously released as open source malware by TeamPCP group, which promoted a $1,000 competition for largest supply-chain attacks. Most affected packages were removed following discovery, but organizations should treat any systems that installed these packages as potentially compromised.