Several npm repositories compromised

planetlife

Developers who use the npm repositories should check which repositories they are using and possibly change their security tokens (keys and passwords) after it was discovered over 30 packages have been compromised. Aikido Dev reports: "On June 1, 2026, we detected multiple official packages from the @redhat-cloud-services scope on npm were compromised with a credential-stealing worm. Over 30 packages seem to be affected. The malware appears similar to the Mini Shai-Hulud malware that was recently open-sourced by TeamPCP. Since the tooling was made publicly available, other threat actors now have access to the same techniques and can replicate or adapt them. The packages were published via GitHub Actions OIDC, indicating the CI/CD pipeline was compromised rather than an npm token. If you have installed any affected package versions since June 1, 2026, treat all CI secrets, cloud credentials, SSH keys, and npm tokens as compromised and rotate them immediately."

According to the notice, it looks as though the compromised packages came from a Red Hat employee's account: "We found a Red Hat employee's GitHub account was compromised and used to push malicious orphan commits directly to several repositories, bypassing code review entirely."

Source: [Login to see the link]

whatname

Thanks for the heads-up on this npm supply chain attack. It's pretty concerning that they compromised a Red Hat employee's GitHub account and pushed malicious updates through CI/CD pipelines. 😬
Everyone using @redhat-cloud-services packages should check their dependencies and rotate credentials. Another painful reminder how fragile the whole npm ecosystem is. 🚨

daytboi

Coincidentally, the other day I came across this article and I found it a fascinating read:
[Login to see the link]