{"id":344962,"date":"2026-06-03T08:41:53","date_gmt":"2026-06-03T03:11:53","guid":{"rendered":"https:\/\/ebiztoday.news\/?p=344962"},"modified":"2026-06-03T08:41:53","modified_gmt":"2026-06-03T03:11:53","slug":"dozens-of-red-hat-packages-backdoored-through-its-official-npm-channel","status":"publish","type":"post","link":"https:\/\/ebiztoday.news\/index.php\/2026\/06\/03\/dozens-of-red-hat-packages-backdoored-through-its-official-npm-channel\/","title":{"rendered":"Dozens of Red Hat packages backdoored through its official NPM channel"},"content":{"rendered":"<div>\n<p>The worm, dubbed Shai-Hulud, has all of the hallmarks of malware <a href=\"https:\/\/socket.dev\/blog\/teampcp-supply-chain-attack-contest\">released<\/a> last month as freely available open source. TeamPCP was the primary group to make use of Shai-Hulud, and it promoted a contest that promised a $1,000 payment to the hacker who carried out the largest supply-chain attack using the malware. TeamPCP has also been behind a rash of previous supply-chain attacks. Now that the worm is within the hands of many other threat groups, supply-chain attacks may ramp up further.<\/p>\n<p>The malware devotes considerable attention to <a href=\"https:\/\/about.gitlab.com\/topics\/ci-cd\/\">CI\/CD<\/a> (continuous integration\/continuous delivery) systems, which permit for faster and more reliable software releases by automating the constructing, testing, and deploying of code changes. The malware spread in Monday\u2019s attack was published through GitHub Actions OIDC (OpenID Connect), indicating that Red Hat\u2019s CI\/CD pipeline was compromised. OIDC is a security measure designed to interact with cloud services through the usage of temporary credentials.<\/p>\n<p>Once installed, the malware targets other organizations\u2019 CI\/CD credentials. The compromise of Red Hat\u2019s GitHub Actions OIDC was very possibly the results of a previous supply-chain attack that infected an worker\u2019s machine.<\/p>\n<p>In an email sent after this post went live, Red Hat said it has removed the malicious packages.<\/p>\n<p>\u201cThe packages are strictly limited to internal development, and the malicious code was never published for customer consumption via the console.redhat.com system,\u201d the e-mail said. \u201cWhile our investigation is ongoing, we&#8217;ve not identified any impact to customer or partner environments or Red Hat production systems.\u201d<\/p>\n<p>Given the success of other recent supply-chain attacks, anyone who touched one in all the affected packages previously 36 hours should assume compromise of their workstations, CI\/CD pipelines, and all credentials for cloud services and repositories. Meaning employees should drop whatever they\u2019re doing in the mean time and investigate thoroughly.<\/p>\n<p>In a recent supply-chain attack that hit Checkmarx, the safety firm failed to completely drive out the party responsible. Checkmarx was then hit two more times. The Checkmarx credentials utilized in the primary attack got here from a supply chain attack on the Trivy software developer. The pivot to Checkmarx and its failure to completely remediate the initial breach demonstrates the issue of completely recovering from such security lapses and the risks that result.<\/p>\n<p>Each <a href=\"https:\/\/socket.dev\/blog\/mini-shai-hulud-campaign-hits-red-hat-cloud-services-npm-packages\">Socket<\/a> and <a href=\"https:\/\/www.aikido.dev\/blog\/red-hat-npm-packages-compromised-credential-stealing-worm\">Aikido<\/a> have lists of affected Red Hat packages and other indicators of compromise that any potentially affected person or organization should make use of promptly.<\/p>\n<p><em>Story updated so as to add Red Hat comment.<\/em><\/p>\n<\/p><\/div>\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>The worm, dubbed Shai-Hulud, has all of the hallmarks of malware released last month as freely available open source. TeamPCP was the primary group to make use of Shai-Hulud, and it promoted a contest that promised a $1,000 payment to the hacker who carried out the largest supply-chain attack using the malware. TeamPCP has also [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":344963,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[10],"tags":[51390,673,8287,2520,33778,7727,24177,1955],"class_list":["post-344962","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-technology","tag-backdoored","tag-channel","tag-dozens","tag-hat","tag-npm","tag-official","tag-packages","tag-red"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/ebiztoday.news\/index.php\/wp-json\/wp\/v2\/posts\/344962","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ebiztoday.news\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ebiztoday.news\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ebiztoday.news\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/ebiztoday.news\/index.php\/wp-json\/wp\/v2\/comments?post=344962"}],"version-history":[{"count":2,"href":"https:\/\/ebiztoday.news\/index.php\/wp-json\/wp\/v2\/posts\/344962\/revisions"}],"predecessor-version":[{"id":344965,"href":"https:\/\/ebiztoday.news\/index.php\/wp-json\/wp\/v2\/posts\/344962\/revisions\/344965"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/ebiztoday.news\/index.php\/wp-json\/wp\/v2\/media\/344963"}],"wp:attachment":[{"href":"https:\/\/ebiztoday.news\/index.php\/wp-json\/wp\/v2\/media?parent=344962"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ebiztoday.news\/index.php\/wp-json\/wp\/v2\/categories?post=344962"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ebiztoday.news\/index.php\/wp-json\/wp\/v2\/tags?post=344962"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}