Red Hat’s npm Packages Compromised in Supply-Chain Attack

Red Hat, a leading provider of open-source solutions, recently faced a supply-chain attack where more than 30 npm packages under the ‘@redhat-cloud-services’ namespace were compromised. This attack distributed a new variant of the Shai-Hulud credential-stealing malware known as “Miasma.”

Security firms Aikido and OX Security discovered the compromised packages, which contained malware designed to steal sensitive information such as developer credentials, cloud secrets, SSH keys, CI/CD tokens, and more. These compromised packages received approximately 117,000 weekly downloads.

Red Hat took immediate action upon discovering the incident, removing the affected packages from the npm registry. They clarified that the compromise was limited to internal development tooling and did not impact customer or partner environments.

The attackers allegedly compromised a Red Hat employee’s GitHub account to push malicious commits directly to multiple repositories. These commits added a GitHub Actions workflow and a script that abused npm’s publishing mechanism to release backdoored packages.

The compromised packages contained a malicious ‘preinstall’ script that automatically executed a heavily obfuscated malicious ‘index.js’ file when developers installed the packages.

Aikido reported that 32 packages and 96 package versions were affected by the compromise, including client libraries under the `@redhat-cloud-services` namespace. Organizations using any affected versions were advised to rotate all credentials, secrets, and tokens immediately.

Miasma: A New Variant of Shai-Hulud

Recent supply-chain attacks have utilized the Shai-Hulud malware to steal credentials and spread to various projects. The Red Hat compromise appears to be a new variant of Shai-Hulud named Miasma, as indicated by comments in compromised GitHub repositories.

The Miasma malware campaign, similar to TeamPCP’s Mini Shai-Hulud, features enhanced obfuscation layers, multi-stage payload delivery mechanisms, and advanced data theft and credential-harvesting capabilities. It has compromised 309 GitHub repositories as of now.

Automated pentesting tools provide value but may not fully test your controls against threats. Learn about the 6 surfaces you need to validate to enhance your security posture.

Download Now