Dozens of Red Hat packages backdoored through its official NPM channel
Scored daily by a customisable AI persona to surface the most relevant engineering leadership news.
Critical supply chain security incident requiring immediate action from developers using Red Hat packages.
A threat actor compromised Red Hat's official @redhat-cloud-services NPM namespace to push over 30 backdoored packages containing the Shai-Hulud worm, which executes during npm install to steal GitHub Actions secrets, npm tokens, Kubernetes/Vault credentials, and then spreads by republishing to other accounts. The attack leveraged compromised Red Hat GitHub Actions OIDC credentials from a prior supply-chain incident, and the worm is based on open-source malware previously released by TeamPCP.
- Audit all @redhat-cloud-services package dependencies, block npm install scripts from untrusted sources, and enforce strict OIDC credential rotation and CI/CD isolation.
This directly impacts your CI/CD pipeline security and dependency management practices, especially if your stack uses Red Hat cloud services or NPM for internal packages—your automated builds and developer machines are at risk from pre-execution payloads.
Dan Goodin — Dan Goodin is Senior Security Editor at Ars Technica, where he oversees coverage of malware, computer espionage, botnets, hardware hacking, encryption, and passwords. A journalist with more than 25 years experience, he has been chronicling the...