Red Hat has confirmed a supply chain attack targeting its NPM package ecosystem, with threat actors successfully compromising 32 packages and releasing 96 malicious versions. The attack injected credential-stealing malware resembling the Mini Shai-Hulud worm into legitimate Red Hat-maintained packages distributed through the NPM registry.
Supply chain attacks on open-source package repositories have become increasingly common as attackers recognize the potential to compromise thousands of downstream users through a single malicious package. NPM, the JavaScript package manager used by millions of developers worldwide, has been a frequent target due to its central role in modern web development workflows. Red Hat's packages are widely trusted in enterprise environments, making this compromise particularly concerning.
The malicious code embedded in the compromised packages functions as a credential-harvesting worm, similar in behavior to the Mini Shai-Hulud malware family. Once installed, the malware attempts to steal authentication credentials and other sensitive information from infected development environments and production systems. The worm-like characteristics suggest the malware may also attempt to propagate to other systems or repositories accessible from the compromised environment.
The impact of this attack extends to any organization or developer who downloaded and installed the affected package versions during the compromise window. Development environments, build pipelines, and production systems that incorporated these malicious packages are potentially exposed. The use of Red Hat branding likely increased the attack's success rate, as developers typically trust packages from established vendors.
Organizations should immediately inventory their NPM dependencies to identify any affected Red Hat packages. Security teams should assume credential compromise on systems where malicious versions were installed and initiate credential rotation procedures. Developers should update to verified clean versions of affected packages, scan systems for indicators of compromise, and review access logs for suspicious activity. Red Hat has not yet published a complete list of affected package names and versions, so monitoring official security advisories is critical.
Source: https://www.securityweek.com/supply-chain-attack-hits-32-red-hat-npm-packages/