Red Hat NPM channel hit by backdoored packages

Official Red Hat NPM accounts were breached and weaponized to distribute a self-replicating worm that steals sensitive credentials as it moves from one machine to another, according to security researchers.

The supply-chain attack began on Monday and remained active as of publication time, said researchers at Aikido. The breach gave the threat actor control over @redhat-cloud-services, a legitimate namespace in the NPM repository designated for official Red Hat packages. Because this channel is reserved for Red Hat, developers who rely on Red Hat cloud services widely trust it.

How exactly the attacker seized control of the namespace remains unclear, but the incident almost certainly involved compromised credentials, possibly stolen during a prior supply-chain attack. More than 30 packages appear to be affected.

The malicious packages contain an obfuscated payload that executes during the npm install process, before a developer imports or uses the package in a production environment. Security firm Socket analyzed the malware and found it is designed to harvest GitHub action secrets, npm tokens, Kubernetes and Vault credentials, and keys for other cloud services. The worm then spreads by republishing backdoored packages to third-party accounts that the infected device can access. Most, though not all, of the packages had been taken down within hours of the incident.

“Organizations should treat any system that installed one of the affected @redhat-cloud-services package versions as potentially compromised,” Socket researchers wrote. “The payload executes during npm install, before application code imports or uses the package, so exposure depends on installation or CI execution, not runtime use.”

Once a system is infected, the malware encrypts the stolen credentials and exfiltrates them via a web request. A fallback mechanism allows the malware to publish the encrypted data into a compromised GitHub repository, provided it has the appropriate credentials.