Supply Chain Attack Hits 32 Red Hat NPM Packages

On Monday, hackers hit Red Hat’s NPM repository in a new supply chain attack, publishing malicious versions of 32 packages to distribute a credential-stealing worm.

Within a 72-second window, the threat actor published poisoned iterations across all 32 packages, likely using automation, ReversingLabs notes.

The affected packages cover the entire Red Hat Hybrid Cloud Console JavaScript ecosystem and have nearly 10 million collective downloads.

According to Aikido, the attackers likely compromised the CI/CD pipeline and used the GitHub Actions OIDC to publish the malicious package versions. ReversingLabs believes that the hackers had access to @redhat-cloud-services NPM scope credentials.

The packages contained a preinstall hook that led to the execution of malware during NPM install, before the package is imported or used.