Get all your news in one place.
100's of premium titles.
One app.
Start reading
TechRadar
TechRadar
Sead Fadilpašić

Compromised Red Hat npm packages downloaded over 80,000 times in one week – supply chain attack still ongoing

Red Hat Supply chain GitHub TeamPCP Socket The Register Wiz
Digital crime by an anonymous hacker.
  • Red Hat npm packages compromised with Mini Shai-Hulud variant
  • Attackers target GitHub secrets and cloud credentials
  • Copycat worm shows themed but similar tradecraft

Numerous Red Hat npm packages were recently compromised and tainted with a variant of the Mini Shai-Hulu worm, targeting GitHub Actions secrets, npm tokens, and other valuable information. Thousands of developers and projects are potentially at risk.

Recently, a single Red Hat employee has had their GitHub account compromised. The miscreants used the access to infiltrate, and then compromise, dozens of npm packages.

Wiz, for example, identified 32 packages so far, which receive around 80,000 downloads a week. Socket, on the other hand, claims to have identified 95 packages. Both outfits confirmed that the attack is currently ongoing, and hinted that the number of infected packages will probably grow even bigger.

TeamPCP copycats

All of the packages were published under the Red Hat Cloud Services namespace. The company confirmed the attack to The Register, and said it removed the compromised content. “The packages are strictly limited to internal development, and the malicious code was never published for customer consumption via the console.redhat.com system. While our investigation is ongoing, we have not identified any impact to customer or partner environments or Red Hat production systems.”

Socket says the attackers are going after people’s GitHub Actions secrets, npm tokens, cloud credentials, Kubernetes and Vault material, SSH keys, Git credentials, and other sensitive files. “It also includes encrypted exfiltration logic and GitHub-based fallback mechanisms, indicating that the attacker was not only attempting to steal credentials, but also potentially enable further supply chain propagation.”

Originally, the group behind the Mini Shai-Hulud attack was TeamPCP. However, they open-sourced the worm, resulting in the emergence of copycats and other threat actors employing a similar strategy. Miniature, cosmetic changes seen in this campaign, point to one such group.

Wiz claims all references to the Dune universe were replaced by Greek mythology themes, but apart from that, the underlying functionality and tradecraft “remain substantially similar”. One notable difference in this worm is collecting Google Cloud Platform and Microsoft Azure identities, as well as all the identities that the infected machine has access to.

Via The Register

Sign up to read this article
Read news from 100's of titles, curated specifically for you.
Already a member? Sign in here
Related Stories
Top stories on inkl right now
One subscription that gives you access to news from hundreds of sites
Already a member? Sign in here
Our Picks
‘She left a kid in the booth’: Denver bartender shares the time a woman left a baby alone on top of a table to use the restroom
The incident apparently set off a parenting debate.
We Got This Covered
We Got This Covered
Hollywood star Marlon Wayans wants to reboot In Living Color
Marlon Wayans has revealed that he hopes to reboot In Living Color.
BANG Premier
BANG Premier
Man Thinks He’s Exposed A Massive Beauty Double Standard, The Internet Quickly Disagrees
Social media has introduced countless trends centered around appearance, some practical and some highly controversial. After one user asked why looksmaxxing is viewed differently from other forms of beauty enhancement, commenters weighed in with arguments about health, expectations, and internet culture.
Bored Panda
Bored Panda
What is ‘wildflowering’? The latest dating trend that promotes stronger connections — but there’s a catch
Experts have said that the dating approach could make singles feel like they don’t know where they stand with the person they’re dating
The Independent UK
The Independent UK
Former TikToker Lives On The Streets, Makes $600 A Day Selling Herself But Spends It All On Illicit Substances
“It’s hard to watch this. She’s somebody’s daughter,” a netizen said.
Bored Panda
Bored Panda
Experts Say Summer Screen Time Can Spiral Faster Than Parents Realize
As school doors close and long summer days begin, many families find themselves relaxing rules around devices. A few extra minutes on a tablet can quickly become hours spent scrolling videos, gaming, or chatting online. Experts say summer screen time often increases faster than parents expect because daily routines, school…
Kids Ain't Cheap
Kids Ain't Cheap
Fourteen days free
Download the app
One app. One membership.
100+ trusted global sources.
Download on the AppStore Get it on Google Play