Dozens of Red Hat packages backdoored through its official NPM channel

The worm, dubbed Shai-Hulud, has all the hallmarks of malware released last month as freely available open source. TeamPCP was the first group to use Shai-Hulud, and it promoted a competition that promised a $1,000 payment to the hacker who carried out the biggest supply-chain attack using the malware. TeamPCP has also been behind a rash of previous supply-chain attacks. Now that the worm is in the hands of many other threat groups, supply-chain attacks may ramp up further.

The malware devotes considerable attention to CI/CD (continuous integration/continuous delivery) systems, which allow for faster and more reliable software releases by automating the building, testing, and deploying of code changes. The malware spread in Monday’s attack was published through GitHub Actions OIDC (OpenID Connect), indicating that Red Hat’s CI/CD pipeline was compromised. OIDC is a security measure designed to interact with cloud services through the use of temporary credentials.

Once installed, the malware targets other organizations’ CI/CD credentials. The compromise of Red Hat’s GitHub Actions OIDC was very possibly the result of a previous supply-chain attack that infected an employee’s machine.

In an email sent after this post went live, Red Hat said it has removed the malicious packages.