GoKawiilMore than 30 npm packages under Red Hat's '@redhat-cloud-services' namespace were compromised in a supply-chain attack that distributed a new variant of the Shai-Hulud credential-stealing malware, dubbed "Miasma."
The incident was discovered by security firms Aikido and OX Security, which found dozens of package versions backdoored with malware designed to steal developer credentials, cloud secrets, SSH keys, CI/CD tokens, and other sensitive information.
According to Aikido, the compromised packages receive roughly 117,000 weekly downloads.
In a statement shared with BleepingComputer, Red Hat said it removed the affected packages after becoming aware of the incident and that the compromise was limited to internal development tooling.
"Red Hat is aware of security reports regarding certain npm packages within our development tooling ecosystem. We immediately initiated an investigation and removed the packages from the npm registry," Red Hat told BleepingComputer.
"The packages are strictly limited to internal development, and the malicious code was never published for customer consumption via the console.redhat.com system. While our investigation is ongoing, we have not identified any impact to customer or partner environments or Red Hat production systems."
The company says it is continuing to investigate the incident, but did not answer our questions about how the account was compromised.
Red Hat packages backdoored through GitHub compromise
According to Aikido, the attackers allegedly compromised a Red Hat employee's GitHub account and used it to push malicious commits directly to multiple repositories.
Those commits added a GitHub Actions workflow and a script that abused npm's publishing mechanism to release backdoored packages.
... continue reading