GoKawiilJohn Keeble/Getty Images
Follow ZDNET: Add us as a preferred source on Google.
ZDNET's key takeaways
Red Hat was the victim of an npm security breach.
The company has removed the affected packages.
Check whether you use @redhat-cloud-services npm namespace.
The npm repository namespace --the JavaScript runtime environment Node.js package manager -- is infamous for security breaches. Now, Red Hat, which, with IBM, just announced Project Lightwell, an AI-powered initiative to find and fix open-source software vulnerabilities, has an npm problem of its own.
Also: Open-source security is a mess - IBM and Red Hat bet $5 billion and 20,000 engineers can fix it
Dozens of JavaScript packages in the company's @redhat-cloud-services namespace were backdoored with credential-stealing malware targeting secrets in Red Hat developers' and continuous integration and continuous deployment (CI/CD) systems. The security research company Aikido reported that the namespace was "compromised with a credential-stealing worm. In total, 96 versions across 32 packages have been compromised, cumulatively downloaded 116,991 times per week."
... continue reading