Multiple redhat-cloud-services npm Packages compromised
Multiple npm packages in the @redhat-cloud-services scope were compromised with malicious payloads. The attack used preinstall hooks to execute a multi-stage credential harvester targeting cloud and CI/CD platform secrets.
- Disclosed
- Last updated
- Blast radius
- Multiple packages in @redhat-cloud-services npm scope; affects RedHat Cloud Services frontend ecosystem and any projects using these packages
- Ecosystems
- Attack vectors
- Affected entities
- @redhat-cloud-services (multiple packages)Scope-wide compromise affecting multiple packages in the RedHat Cloud Services namespace
Multiple npm packages under the @redhat-cloud-services scope were found to contain malicious code designed to execute during package installation. The compromise affected several packages across the RedHat Cloud Services frontend ecosystem.\n\nThe malicious payload activates via a preinstall hook that runs automatically when the package is installed via npm. The attack implements a sophisticated multi-stage credential harvester targeting a wide range of valuable secrets and tokens.\n\nThe harvester specifically targets credentials from GitHub Actions secrets, AWS, GCP, Azure, Kubernetes, HashiCorp Vault, npm tokens, and CircleCI tokens. This broad targeting indicates the attacker sought to compromise environments and systems used by downstream organizations.\n\nAny project that installed affected versions of these packages during the compromise window would have had credentials and secrets exposed to the attacker.
Indicators of compromise
- Packages
- @redhat-cloud-services (multiple packages)
Remediation
- Immediately audit npm install logs to identify if any affected @redhat-cloud-services packages were installed
- Rotate all credentials and secrets that may have been exposed (GitHub Actions secrets, AWS keys, GCP credentials, Azure credentials, npm tokens, CircleCI tokens)
- Audit account activity and access logs for unauthorized changes or access
- Upgrade all @redhat-cloud-services packages to patched versions once available
- Review npm package.json dependencies and lock files to identify exact versions that were installed
- Monitor for suspicious activity in connected cloud and CI/CD platforms
Sources
- Multiple redhat-cloud-services npm Packages compromised · StepSecurity
Cite this entry
"Multiple redhat-cloud-services npm Packages compromised." supplychainattack.org, Supply Chain Attack Incident Catalog. Disclosed June 2, 2026; last updated June 7, 2026. https://supplychainattack.org/incident/multiple-redhat-cloud-services-npm-packages-compromised-1gtdw3
Suggest a correction
Found an error or have a newer source? Corrections to factual errors take priority over new entries.
Related incidents
- activecritical
Malware in @doaction/auth
Malware discovered in the npm package @doaction/auth. Systems with this package installed are considered fully compromised and require immediate remediation.
npmCompromised package - containedcritical
Malware in @doaction/shared
Malware was discovered in the npm package @doaction/shared. Systems with this package installed are considered fully compromised and require immediate remediation.
npmCompromised package - containedcritical
Malware in transacts
The npm package transacts was found to contain malware, resulting in full system compromise of any computer with the package installed or running. All secrets and keys should be rotated immediately from a different computer, and the package should be removed.
npmCompromised package - containedcritical
Malware in buffer-utilities
Malware was discovered in the npm package buffer-utilities, resulting in full system compromise for any installation. The package should be removed immediately and all secrets and keys rotated from a clean system.
npmCompromised package