1. Forum
  2. tqwNet
  3. TQW LINUX

  • Multiple redhat-cloud-services npm packages compromised (StepSecurity

    From LWN.net@1337:1/100 to All on Mon Jun 1 15:15:06 2026
    Multiple redhat-cloud-services npm packages compromised (StepSecurity Blog)

    Date:
    Mon, 01 Jun 2026 14:05:04 +0000

    Description:
    StepSecurity is reporting that a number of npm packages in the @redhat-cloud-services scope include malware that runs automatically on every npm
    install : The payload is a multi-stage credential harvester that sweeps
    GitHub Actions secrets along with AWS, GCP, Azure, Kubernetes,
    HashiCorp Vault, npm, and CircleCI tokens, and it is purpose-built to
    evade detection, including an explicit attempt to bypass StepSecurity Harden-Runner. StepSecurity analyzed @redhat-cloud-services/host-inventory-client@5.0.3 in full. Its index.js , executed at install time, is 4.2 MB, a file that should
    weigh a few kilobytes, with the real payload buried under three
    separate layers of obfuscation. The malware is also a self-propagating
    worm: using stolen npm tokens and npm's bypass_2fa parameter, it
    republishes backdoored versions of other packages on its own, even
    against accounts protected by two-factor authentication, so every
    infected machine can seed the next wave with no attacker
    involvement. All affected packages were published via GitHub Actions
    OIDC from the RedHatInsights/javascript-clients repository, indicating
    the upstream CI/CD pipeline itself was compromised. Analysis of the
    remaining packages is ongoing. A blog
    post from SafeDep has additional analysis about the incident. We did not find an advisory from Red Hat on this yet.

    ======================================================================
    Link to news story:
    https://lwn.net/Articles/1075742/


    --- Mystic BBS v1.12 A49 (Linux/64)
    * Origin: tqwNet UK HUB @ hub.uk.erb.pw (1337:1/100)