Skip to content

Red Hat npm Packages Compromised in Supply Chain Attack to Steal Developer Credentials

A supply chain attack has compromised over 30 npm packages under Red Hat’s ‘@redhat-cloud-services’ namespace, distributing a new variant of the Shai-Hulud credential-stealing malware dubbed ‘Miasma.’

According to security firms Aikido and OX Security, dozens of package versions were backdoored with malware designed to steal developer credentials, cloud secrets, SSH keys, CI/CD tokens, and other sensitive information. The compromised packages receive roughly 117,000 weekly downloads.

In a statement shared with BleepingComputer, Red Hat said it removed the affected packages after becoming aware of the incident and that the compromise was limited to internal development tooling.

“Red Hat is aware of security reports regarding certain npm packages within our development tooling ecosystem. We immediately initiated an investigation and removed the packages from the npm registry,” Red Hat told BleepingComputer.

“The packages are strictly limited to internal development, and the malicious code was never published for customer consumption via the console.redhat.com system. While our investigation is ongoing, we have not identified any impact to customer or partner environments or Red Hat production systems.”

Attackers Compromised a Red Hat Employee's GitHub Account

According to Aikido, the attackers allegedly compromised a Red Hat employee’s GitHub account and used it to push malicious commits directly to multiple repositories. Those commits added a GitHub Actions workflow and a script that abused npm’s publishing mechanism to release backdoored packages.

“When the workflow runs, it installs Bun and executes _index.js, passing it a list of target packages via the OIDC_PACKAGES environment variable,” explains Aikido. “The script uses the id-token: write permission to request a short-lived OIDC token from GitHub, then uses that token to authenticate directly with npm’s trusted publishing endpoint and publish backdoored versions of every package in the list.”

Miasma Malware Steals Sensitive Information

These compromised packages contained a malicious ‘preinstall script that automatically executed a heavily obfuscated malicious index.js file when developers installed the packages. According to Aikido, the ‘index.js’ payload was approximately 4.2 MB in size, and is used to steal GitHub Actions secrets, AWS credentials, Google Cloud credentials, Azure service principal credentials, HashiCorp Vault tokens, Kubernetes service account tokens, npm and PyPI publishing tokens, SSH keys, Docker credentials, GPG keys, and `.env` files.

Investigation Ongoing

Organizations that installed any affected versions are advised to rotate all credentials, secrets, and tokens utilized by code on the infected device immediately. The investigation is ongoing, but Red Hat has not identified any impact to customer or partner environments or Red Hat production systems.

Miasma Appears to be a New Shai-Hulud Variant

Miasma appears to be a new variant of the Shai-Hulud malware, which has been used in numerous supply chain attacks over the past couple of months. The TeamPCP threat group publicly released the source code for its Mini Shai-Hulud malware framework in May, making the malware available to other threat actors.

Conclusion

The compromise of Red Hat npm packages is a significant security incident that highlights the importance of supply chain security and the need for organizations to regularly monitor their dependencies. Developers should be cautious when installing packages from untrusted sources and ensure they are using secure development practices.

Source: Original article

Leave a Reply

Your email address will not be published. Required fields are marked *