Red Hat npm supply-chain attack: 32 packages trojanized via CI/CD hijack, credential harvesting and worm propagation

Targetnpm packages (@redhat-cloud-services scope); JavaScript/Node.js ecosystem; CI/CD environmentsVectorCompromised GitHub Actions OIDC publishing workflow in upstream RedHatInsights/javascript-clients repository; malicious preinstall hook executed during npm installAttributionunattributed

MITRE ATT&CKT1195.001T1547.013T1555T1187T1140T1552.007T1134.003T1041T1570T1531IoCs@redhat-cloud-services npm scopeRedHatInsights/javascript-clients repositoryAffected32 maliciously modified packages across more than 90 versions under @redhat-cloud-services npm scope

SectorsSoftware developmentCloud servicesDevOps/CI-CDConfirmed DamageCredential theft from GitHub, npm, AWS, Azure, GCP, HashiCorp Vault, Kubernetes; SSH key harvesting; CLI credential exfiltration; browser and wallet data theft; potential home directory destruction via destructive tripwire (rm -rf ~/); package republication with forged SLSA provenance for downstream propagation

Patchesnpm team removal of affected repositoriesImplementation of additional protections on @redhat-cloud-services namespace to prevent unauthorized publishingWorkaroundsAudit npm package installations from @redhat-cloud-services scope; review CI/CD runner environment variables and secrets; implement GitHub Actions OIDC token validation and scope restrictions; disable passwordless sudo rules; monitor for forged SLSA provenance signaturesDetectionMonitor npm preinstall hook execution; detect 4.29 MB dropper script with ROT-XX obfuscation and AES-128-GCM encrypted payloads; hunt for Bun runtime downloads in package installation contexts; detect credential access from GitHub Actions runner memory; identify passwordless sudo rule installation; monitor for package republication with modified provenance metadata

Similar AttacksCampaign marker 'Miasma: The Spreading Blight' indicates coordinated supply-chain attack with worm-like self-propagation across maintainer packages