In a significant security incident, Red Hat’s NPM repository was infiltrated on Monday, resulting in the deployment of harmful versions of 32 packages. This breach was part of a supply chain attack aiming to distribute a worm capable of stealing credentials.
Rapid Deployment of Malicious Packages
ReversingLabs reported that within just 72 seconds, the perpetrators managed to release corrupted versions across all 32 packages. This swift distribution suggests the use of automation tools by the attackers.
The compromised packages are integral to the Red Hat Hybrid Cloud Console’s JavaScript ecosystem, which collectively accounts for nearly 10 million downloads, highlighting the widespread impact of this breach.
Method of Compromise
Insight from Aikido indicates that the attackers infiltrated the CI/CD pipeline and utilized GitHub Actions OIDC to disseminate the malicious package versions. It is suspected that the hackers had access to credentials within the @redhat-cloud-services NPM scope.
The packages included a preinstall hook that facilitated malware execution during the NPM installation process, before any package importation or usage.
Malware Characteristics and Impact
The malicious payload, labeled “Miasma: The Spreading Blight,” appears to be a variation of the Mini Shai-Hulud worm, previously employed by TeamPCP in targeting the open source community.
The malware’s source code was released last month, encouraging further supply chain attacks by malicious actors. Ox Security identified that the threat actors tested this capability by infecting a repository on May 29.
This malware focuses on extracting sensitive data such as GitHub Actions secrets, npm tokens, and SSH keys, transmitting the data to a server controlled by the attackers. It also leverages a fallback mechanism using GitHub to publish stolen information.
Mitigation and Recommendations
Following the detection of the breach, Red Hat maintainers have released clean versions of all affected packages and removed the malicious iterations from NPM.
Users are strongly encouraged to update to secure versions immediately. Those who installed compromised versions should assume their systems are compromised, necessitating immediate rotation of credentials and other sensitive information.
Developers should also examine transitive dependencies for potential contamination and monitor their systems for unusual activities.
Related industry efforts include IBM and Red Hat’s $5 billion investment to enhance open-source supply chain security under “Project Lightwell,” reflecting the growing importance of securing software development pipelines.
