Red Hat hit by npm supply‑chain attack - here's how to stay safe

Red Hat was hit by an npm supply-chain attack that backdoored dozens of packages in the @redhat-cloud-services namespace. Aikido reported 96 compromised versions across 32 packages, cumulatively downloaded 116,991 times per week. The company has removed the affected packages; users should check whether they use the @redhat-cloud-services namespace.

The malware was added via npm preinstall hooks, so running "npm install" for an affected package automatically executed the malicious code. Microsoft threat intelligence says each compromised package ran a heavily obfuscated index.js loader that pulled a payload designed to steal secrets from npm, GitHub, AWS, SSH and other environments.

Researchers linked the campaign to the Mini Shai-Hulud worm; the Red Hat cases used a variant called Miasma that republished packages the infected user could publish, rapidly spreading the compromise.

red hat, npm, supply-chain, backdoor, preinstall hooks, obfuscated loader, mini shai-hulud, miasma, credential theft, github