A significant supply-chain attack has compromised Red Hat's official NPM channel, with malicious actors taking control of the @redhat-cloud-services namespace to distribute backdoored packages. The attack, which began on Monday and remained active at the time of reporting, affected more than 30 packages that developers widely trust for Red Hat cloud services integration.
The malware in question is a worm dubbed Shai-Hulud, which executes during the npm install process—before developers even import or use the package in their production environments. This means that simply installing the affected packages is enough to compromise a system. The worm's primary function is to harvest sensitive credentials, including GitHub action secrets, npm tokens, Kubernetes materials, Vault credentials, and other cloud service authentication data. Once collected, these credentials are encrypted and exfiltrated through web requests, with a fallback mechanism that publishes the stolen data to compromised GitHub repositories.
What makes this attack particularly insidious is its self-propagating nature. After infecting a system, the worm spreads by republishing backdoored packages to third-party accounts that the infected device has access to, creating a vicious cycle of compromise. Security researchers believe the initial breach involved compromised credentials for Red Hat's CI/CD pipeline, specifically their GitHub Actions OIDC system, which may itself have resulted from a previous supply-chain attack on an employee's machine.
The malware is based on open-source code released last month by TeamPCP, a group known for previous supply-chain attacks. They promoted a competition offering $1,000 to the hacker who executed the largest supply-chain attack using Shai-Hulud. Now that this worm is available to multiple threat groups, security experts anticipate an increase in similar attacks. Red Hat has since removed the malicious packages and stated that whilst the packages were limited to internal development, their investigation is ongoing. Security firms Socket and Aikido have published lists of affected packages and indicators of compromise, urging any organisation or individual who installed these packages in the past 36 hours to assume their systems, CI/CD pipelines, and credentials have been compromised and to investigate immediately.
Fuente Original: https://arstechnica.com/security/2026/06/dozens-of-red-hat-packages-backdoored-through-its-offical-npm-channel/
Artículos relacionados de LaRebelión:
- IBM and Red Hat Invest 5 Billion in Open Source Security
- Falla en KnowledgeDeliver LMS Despliega Malware Avanzado
- Shai-Hulud Malware Sofisticado Infiltra npm y PyPI
- MRC Protocolo de Red para LLMs Revoluciona Datacenters
- AI Repositories Under Siege by Malware Attacks
Artículo generado mediante LaRebelionBOT
No hay comentarios:
Publicar un comentario