What NPM supply chain attack targets Red Hat?

Compromised Red Hat npm packages spread a credential-stealing worm

Security researchers reported that dozens of Red Hat-related npm packages were compromised and used to distribute malware. The attack involved malicious packages shipped through the npm ecosystem; these packages were designed to compromise developer and build environments by harvesting sensitive credentials.

According to the coverage, more than 30 official @redhat-cloud-services npm packages were found carrying malicious code, and the campaign appears tied to a worm-like mechanism. The malware focuses on credential theft aimed at common automation and cloud-development tooling—specifically targeting secrets used with systems such as GitHub Actions and major cloud providers (AWS and others). Once the worm-like component lands, it can move laterally across systems where compromised packages are installed and executed.

Why this matters

• Build and DevSecOps pipelines are an increasingly common attack surface. npm packages are widely pulled into CI/CD and local development workflows.
• Credential theft enables follow-on attacks. Stolen tokens or keys can be used to impersonate users, access cloud resources, or tamper with deployments.
• “Official” package namespaces increase blast radius. When the packages appear to come from trusted maintainers, organizations may install them with less scrutiny.

The report also suggests the supply-chain incident is not just a one-off package replacement: it behaves like a propagation attempt (“worm” framing), which raises the urgency for incident response—auditing package versions, revoking affected credentials, and checking for downstream compromise.