Huo Xing Finance reports that on June 2, SlowMist issued a security alert detecting an active npm supply chain attack targeting packages related to @redhat-cloud-services. Over 31 packages have been confirmed as compromised, with approximately 116,000 weekly downloads, and stolen credentials have been found in over 300 GitHub repositories. The attack technique closely resembles the previous “Shai-Hulud” npm attack, including credential theft, creation of malicious repositories, and automated secret exfiltration. New suspicious repositories continue to emerge, indicating the attack is ongoing and developers remain at risk. Potential impacts include theft of GitHub/npm tokens, exposure of AWS/GCP/Azure cloud credentials, collection of SSH keys and Kubernetes secrets, leakage of local environment and wallet data, creation and persistence of malicious repositories, and potentially destructive actions even after tokens have been revoked. It is recommended to immediately remove or downgrade affected @redhat-cloud-services package versions, conduct a comprehensive audit of CI/CD workflows and dependency installations, rotate all keys related to GitHub, npm, cloud services, SSH, and wallets, retain logs, and rebuild compromised developer machines or Runners from clean images, while maintaining heightened vigilance.
Active npm supply chain attack targets Red Hat Cloud Services packages, over 300 GitHub repositories affected
MarsBitShare
Summary
A reentrancy attack has been identified in an active npm supply chain compromise targeting @redhat-cloud-services packages. Over 31 packages are affected, with 116,000 weekly downloads. More than 300 GitHub repositories contain stolen credentials. Attackers use on-chain data to automate secret exfiltration and create malicious repositories. Risks include token theft, cloud credential exposure, and SSH key compromise. Developers should audit dependencies, rotate credentials, and rebuild compromised systems. New malicious repositories continue to emerge, indicating the attack is ongoing.
Source:Show original
Disclaimer: The information on this page may have been obtained from third parties and does not necessarily reflect the views or opinions of KuCoin. This content is provided for general informational purposes only, without any representation or warranty of any kind, nor shall it be construed as financial or investment advice. KuCoin shall not be liable for any errors or omissions, or for any outcomes resulting from the use of this information.
Investments in digital assets can be risky. Please carefully evaluate the risks of a product and your risk tolerance based on your own financial circumstances. For more information, please refer to our Terms of Use and Risk Disclosure.