Skip to content
Tech News
← Back to articles

Dozens of Red Hat packages backdoored through its official NPM channel

2026-06-01 | original
read original get Red Hat NPM Security Kit → more articles
Why This Matters

The compromise of Red Hat's official NPM packages highlights the growing threat of supply-chain attacks, where trusted repositories are exploited to distribute malware. This incident underscores the importance for organizations to scrutinize their dependencies and implement robust security measures to prevent widespread breaches. As attackers increasingly target trusted sources, both developers and consumers must remain vigilant to protect sensitive data and maintain trust in software supply chains.

Key Takeaways

Official Red Hat NPM accounts have been compromised and used to push a malicious worm that spreads from machine to machine, where it pilfers sensitive credentials in hopes of stealing yet more confidential data, researchers said.

The supply-chain attack began Monday and remained active at the time this post went live, according to researchers at security firm Aikido. It’s the result of the threat actor responsible for the hack taking control of @redhat-cloud-services, a legitimate channel in the npm repository that’s reserved for official Red Hat packages. As such, the channel is widely trusted by developers who rely on Red Hat cloud services.

The vicious cycle of today’s supply-chain attacks

It’s unclear precisely how the threat actor took control of the namespace, but it almost certainly involved the compromise of credentials required to access it, possibly through a previous supply-chain attack. More than 30 packages seem to be affected.

The packages execute an obfuscated payload that can run during the npm install process, which occurs before a developer imports or actually uses the package in a production environment. Security firm Socket said an analysis of the malware revealed that it’s designed to collect sensitive credentials, including GitHub action secrets, npm tokens, Kubernetes and Vault material, and credentials for other cloud services. The worm then spreads by republishing backdoored packages to third-party accounts the infected device has access to. Most, but not all, of the packages had been taken down in the hours following the incident.

“Organizations should treat any system that installed one of the affected @redhat-cloud-services package versions as potentially compromised,” Socket researchers wrote. “The payload executes during npm install, before application code imports or uses the package, so exposure depends on installation or CI execution, not runtime use.”

Once a system is infected, it encrypts the credentials and sends them through a web request. A fallback mechanism allows the malware to publish the encrypted data into a compromised GitHub repository, assuming it has possession of the credentials for it.

Explore topics: red hat npm supply-chain attack github kubernetes
Related:
AI costs how much? GitHub Copilot users react to new usage-based pricing system.
Dozens of Red Hat packages backdoored through its offical NPM channel
GitHub and the Crime Against Software
GitHub and the crime against software
Red Hat npm packages compromised to steal developer credentials

© 2026 GoKawiil

About | Editorial Policy | Contact