Infected Red Hat npm packages expose developer credentials

Developers who pulled packages from Red Hat’s @redhat-cloud-services npm namespace over the weekend got a secret-stealing worm instead.

Security researchers from several cybersecurity outlets are warning of a new supply chain attack compromising over 30 Red Hat Cloud Services-related npm packages to steal credentials, authentication tokens, and other secrets from developer environments.

The campaign, which Wiz researchers are tracking as Miasma, is thought to be the latest evolution of Shai-Hulud, a self-propagating malware family that has repeatedly surfaced in software supply chain attacks targeting the npm ecosystem.

“Investigation revealed that at least 32 package releases contained unauthorized modifications that do not match the corresponding source repositories,” Wiz researchers said in a blog post. “These packages cumulatively average ~80,000 weekly downloads.“

By compromising packages associated with Red Hat Cloud Services, the attackers are targeting a software ecosystem that many organisations already trust. The good news is that most of the packages feared to be infected are already removed, the researchers noted.