Steadvar — News without the noise

Privacy · Terms · About

© 2026 Steadvar. All rights reserved.

Red Hat's Official NPM Channel Compromised in Spreading Malware Attack

TechnologyCrime3h ago
Share

Similar Articles

Open Source CLI Package Compromised, Malicious Version Removed

TechnologyCrime4/27/2026

GitHub Confirms Software Supply Chain Attack Compromises Internal Code

TechnologyCrime5/22/2026

Security Firms Checkmarx and Bitwarden Affected by Supply Chain Attack

TechnologyBusiness4/29/2026

Daemon Tools Software Compromised by Monthlong Supply-Chain Attack

TechnologyCrime5/5/2026

Ubuntu and Canonical Infrastructure Targeted by Sustained DDoS Attack

TechnologyWorld5/1/2026

Official Red Hat accounts on the NPM software registry were compromised and used to distribute a malicious worm. The malware spreads from machine to machine, collecting sensitive credentials like GitHub secrets and cloud service tokens. Security researchers reported the attack was still active as of their latest analysis.

Facts First

  • A supply-chain attack compromised @redhat-cloud-services, a legitimate NPM channel for official Red Hat packages.
  • The malware is a worm that spreads automatically by republishing backdoored packages to other accounts.
  • Over 30 packages appear affected, executing an obfuscated payload during the 'npm install' process.
  • The worm collects sensitive credentials including GitHub action secrets, npm tokens, and cloud service material.
  • Most affected packages were taken down, but the attack was reported as still active at the time of discovery.

What Happened

Official Red Hat accounts on the NPM software repository were compromised and used to distribute malicious packages in a supply-chain attack. Security researchers at Aikido reported the attack began on Monday and was still active at the time of their report. The threat actor took control of the @redhat-cloud-services account, a legitimate channel reserved for official Red Hat packages. More than 30 packages appear to be affected, which execute an obfuscated payload during the standard npm install process. Analysis by security firm Socket determined the malware is a worm designed to collect sensitive credentials and spread by republishing backdoored packages to other accounts the infected device can access.

Why this Matters to You

If you use software that depends on NPM packages, particularly those from Red Hat's official channels, your development environment or infrastructure could be at risk. The malware is designed to steal credentials you use for critical services like GitHub, Kubernetes, and various cloud platforms, which could lead to further data breaches or system compromises. This type of supply-chain attack means you might install malicious code simply by running a routine update command, highlighting the need for heightened vigilance in software dependencies.

What's Next

Most, but not all, of the affected packages were taken down in the hours following the incident's discovery. The malware's design includes fallback mechanisms, such as publishing encrypted data to a compromised GitHub repository if it has the credentials, suggesting the attackers built resilience into their operation. Developers and organizations are likely to audit their systems and dependencies for signs of infection. Further analysis by security teams may reveal the full scope of the compromise and lead to updated detection rules.

Perspectives

“
Security Researchers suggest the breach likely stemmed from compromised credentials, potentially via a prior supply-chain attack, and warn that any organization using the affected packages must consider their systems potentially compromised.
“
Technical Analysts emphasize that the risk is tied to the installation phase, noting that 'exposure depends on installation or CI execution, not runtime use' because the payload triggers during the npm install process.