عاجل
TREkrem İmamoğlu davasında mütalaa: Tutukluluk halinin devamı istendiRUУгроза беспилотников отменена в Ленинградской областиGLOBALBelgium to Appeal FIFA's Decision to Allow Balogun to Play Against USMNTCN台北市消防局啟動防颱整備 因應強颱巴威來襲CN日本資深媒體人矢板明夫台中演講後遇襲 議員促警速辦CN資深媒體人矢板明夫演講後遭攻擊 嫌犯機場落網CN颱風巴威逼近 基隆市進入戒備狀態ARروسيا تشن هجوماً "واسعاً" على كييف.. وبريطانيا تشدد قواعد التبرعات السياسية.. وحرائق جنوب أوروباRUГлава Mitsubishi Heavy Industries: переоборудование автозаводов под дроны — растрата денегFRÉdouard Philippe lance sa campagne, le RN critique son bilanTREkrem İmamoğlu davasında mütalaa: Tutukluluk halinin devamı istendiRUУгроза беспилотников отменена в Ленинградской областиGLOBALBelgium to Appeal FIFA's Decision to Allow Balogun to Play Against USMNTCN台北市消防局啟動防颱整備 因應強颱巴威來襲CN日本資深媒體人矢板明夫台中演講後遇襲 議員促警速辦CN資深媒體人矢板明夫演講後遭攻擊 嫌犯機場落網CN颱風巴威逼近 基隆市進入戒備狀態ARروسيا تشن هجوماً "واسعاً" على كييف.. وبريطانيا تشدد قواعد التبرعات السياسية.. وحرائق جنوب أوروباRUГлава Mitsubishi Heavy Industries: переоборудование автозаводов под дроны — растрата денегFRÉdouard Philippe lance sa campagne, le RN critique son bilan
Newsgather
BackRed Hat NPM Accounts Compromised, Malicious Worm Steals Credentials
Red Hat NPM Accounts Compromised, Malicious Worm Steals Credentials
مُلِح
Ars Technica01.06.2026تقنية4 dk okumaUnited States

Red Hat NPM Accounts Compromised, Malicious Worm Steals Credentials

نظرة سريعة

  • Red Hat's official NPM accounts were compromised, allowing a malicious worm named Shai-Hulud to spread and steal sensitive credentials like GitHub secrets and npm tokens.
  • The attack targeted CI/CD systems, and while Red Hat claims no customer impact, researchers advise treating affected systems as compromised.

ملخص مُنشأ بالذكاء الاصطناعي

لماذا يهم

Official Red Hat NPM accounts were compromised, leading to the distribution of a malicious worm called Shai-Hulud. This worm spreads from machine to machine, pilfering sensitive credentials like GitHub action secrets, npm tokens, and Kubernetes material.

حجم الخط

Official Red Hat NPM accounts have been compromised and used to push a malicious worm that spreads from machine to machine, where it pilfers sensitive credentials in hopes of stealing yet more confidential data, researchers said.

The supply-chain attack began Monday and remained active at the time this post went live, according to researchers at security firm Aikido. It’s the result of the threat actor responsible for the hack taking control of @redhat-cloud-services, a legitimate channel in the npm repository that’s reserved for official Red Hat packages. As such, the channel is widely trusted by developers who rely on Red Hat cloud services.

The vicious cycle of today’s supply-chain attacks

It’s unclear precisely how the threat actor took control of the namespace, but it almost certainly involved the compromise of credentials required to access it, possibly through a previous supply-chain attack. More than 30 packages seem to be affected.

The packages execute an obfuscated payload that can run during the npm install process, which occurs before a developer imports or actually uses the package in a production environment. Security firm Socket said an analysis of the malware revealed that it’s designed to collect sensitive credentials, including GitHub action secrets, npm tokens, Kubernetes and Vault material, and credentials for other cloud services. The worm then spreads by republishing backdoored packages to third-party accounts the infected device has access to. Most, but not all, of the packages had been taken down in the hours following the incident.

“Organizations should treat any system that installed one of the affected @redhat-cloud-services package versions as potentially compromised,” Socket researchers wrote. “The payload executes during npm install, before application code imports or uses the package, so exposure depends on installation or CI execution, not runtime use.”

Once a system is infected, it encrypts the credentials and sends them through a web request. A fallback mechanism allows the malware to publish the encrypted data into a compromised GitHub repository, assuming it has possession of the credentials for it.

The worm, dubbed Shai-Hulud, has all the hallmarks of malware released last month as freely available open source. TeamPCP was the first group to use Shai-Hulud, and it promoted a competition that promised a $1,000 payment to the hacker who carried out the biggest supply-chain attack using the malware. TeamPCP has also been behind a rash of previous supply-chain attacks. Now that the worm is in the hands of many other threat groups, supply-chain attacks may ramp up further.

The malware devotes considerable attention to CI/CD (continuous integration/continuous delivery) systems, which allow for faster and more reliable software releases by automating the building, testing, and deploying of code changes. The malware spread in Monday’s attack was published through GitHub Actions OIDC (OpenID Connect), indicating that Red Hat’s CI/CD pipeline was compromised. OIDC is a security measure designed to interact with cloud services through the use of temporary credentials.

Once installed, the malware targets other organizations’ CI/CD credentials. The compromise of Red Hat’s GitHub Actions OIDC was very possibly the result of a previous supply-chain attack that infected an employee’s machine.

In an email sent after this post went live, Red Hat said it has removed the malicious packages.

“The packages are strictly limited to internal development, and the malicious code was never published for customer consumption via the console.redhat.com system,” the email said. “While our investigation is ongoing, we have not identified any impact to customer or partner environments or Red Hat production systems.”

Given the success of other recent supply-chain attacks, anyone who touched one of the affected packages in the past 36 hours should assume compromise of their workstations, CI/CD pipelines, and all credentials for cloud services and repositories. That means employees should drop whatever they’re doing at the moment and investigate thoroughly.

In a recent supply-chain attack that hit Checkmarx, the security firm failed to fully drive out the party responsible. Checkmarx was then hit two more times. The Checkmarx credentials used in the first attack came from a supply chain attack on the Trivy software developer. The pivot to Checkmarx and its failure to fully remediate the initial breach demonstrates the difficulty of completely recovering from such security lapses and the risks that result.

Both Socket and Aikido have lists of affected Red Hat packages and other indicators of compromise that any potentially affected person or organization should make use of promptly.

Story updated to add Red Hat comment.

ما الذي يجب مراقبته

توقعات الذكاء الاصطناعي — احتمالات وليست حقائق

  • Ramp up in supply-chain attacks by various threat groups using the Shai-Hulud malware.

    مرجح · خلال أسابيع

  • Further investigation into the full scope of the breach and potential impact on Red Hat's systems and customers.

    مرجح جداً · خلال أسابيع

أسئلة مفتوحة

  • How exactly did the threat actor gain control of the Red Hat NPM namespace?
  • What is the full extent of the compromise beyond the 30+ affected packages?
  • What specific cloud services were targeted for credential theft?
  • Has TeamPCP directly orchestrated this attack, or are they merely the originators of the malware?

مواضيع ذات صلة

This article was originally published by Ars Technica.

أخبار ذات صلة

المزيد حول هذا الموضوعRed Hat