32 Red Hat npm packages backdoored in 72 seconds

What Happened

On June 1, attackers compromised a Red Hat account to publish malicious versions of 32 software packages to the npm registry. Anyone who downloaded these packages during a specific two-minute window may have had their cloud and developer passwords stolen. This is highly dangerous because the malware can also use stolen passwords to spread itself to other software projects. Developers who used these packages should immediately change all their passwords and security keys.

Key Takeaways

• Attackers compromised the @redhat-cloud-services npm scope, publishing 32 malicious packages in a 72-second window.
• The malware uses a three-layer obfuscation pipeline (ROT-N, AES-128-GCM, obfuscator.io) to evade detection and defeat hash-based deduplication.
• The payload acts as a credential stealer targeting cloud and CI/CD secrets, exfiltrating data via the GitHub API.
• The malware includes worm capabilities, allowing it to self-propagate to other npm scopes using stolen credentials.

Affected Systems

• Node.js build environments
• CI/CD pipelines (specifically GitHub Actions)
• Developer workstations running npm install for @redhat-cloud-services packages

Attack Chain

The attacker compromised the @redhat-cloud-services npm scope and used automated tooling to publish 32 malicious packages. During package installation, a preinstall script executes an obfuscated index.js file. This file uses a ROT-N cipher and AES-128-GCM to decrypt two payloads: one that downloads the legitimate bun runtime, and another that acts as a credential stealer. The stealer harvests cloud and CI/CD secrets, exfiltrates them via the GitHub API, and attempts to use stolen npm credentials to propagate to other packages.

Detection Availability

• YARA Rules: No
• Sigma Rules: No
• Snort/Suricata Rules: No
• KQL Queries: No
• Splunk SPL Queries: No
• EQL Queries: No
• Other Detection Logic: No
• Platforms: ReversingLabs Spectra Assure

ReversingLabs Spectra Assure provides behavioral indicators (e.g., BH13852, BH13525, BH15183, BH15358) to detect the malicious packages based on dynamic code evaluation and obfuscation patterns.

Detection Engineering Assessment

EDR Visibility: Medium — EDR may detect anomalous child processes (like bun) spawning from Node.js during package installation, or unusual file reads of sensitive credential stores. Network Visibility: Medium — Outbound connections to the GitHub API for exfiltration may blend in with legitimate developer traffic, though downloading bun from GitHub releases during npm install could be flagged. Detection Difficulty: Hard — The malware uses legitimate binaries (bun), legitimate exfiltration channels (GitHub API), and heavily obfuscated, uniquely keyed payloads per package to evade signature-based detection.

Required Log Sources

• Process Creation Logs
• File Access Logs
• Network Connection Logs

Hunting Hypotheses

Control Gaps

• Hash-based blocking (due to unique per-package payloads)
• Network filtering (due to use of legitimate GitHub endpoints)

Key Behavioral Indicators

• Node.js executing a preinstall script that drops and executes a secondary JavaScript runtime (bun)
• Dynamic code evaluation (eval) of heavily obfuscated strings in npm package index.js files

False Positive Assessment

• Low

Recommendations

Immediate Mitigation

• Verify against your organization's incident response runbook and team escalation paths before acting.
• Identify any projects that ran 'npm install' on the affected @redhat-cloud-services packages between 10:54 and 10:56 UTC on June 1.
• Rotate all credentials, tokens, SSH keys, and secrets accessible from affected build environments, including AWS, Azure, GCP, Vault, and GitHub tokens.

Infrastructure Hardening

• Block the identified malicious SHA-256 hashes in artifact proxies (e.g., Artifactory, Nexus).
• Implement strict egress filtering on build agents to limit outbound connections to only required infrastructure.

User Protection

• Audit package-lock.json and yarn.lock files for exact version pins matching the malicious packages.
• Consider using tools that analyze npm package behavior before allowing them into the internal registry.

Security Awareness

• Educate developers on the risks of supply chain attacks and the importance of monitoring build environment network activity.

MITRE ATT&CK Mapping

• T1195.002 - Supply Chain Compromise: Compromise Software Dependencies and Development Tools
• T1059.007 - Command and Scripting Interpreter: JavaScript
• T1027 - Obfuscated Files or Information
• T1105 - Ingress Tool Transfer
• T1552.001 - Unsecured Credentials: Credentials In Files
• T1048 - Exfiltration Over Alternative Protocol

Additional IOCs

• File Hashes:
  • 21b6409a7b84446310daca5409ad6112ac60a1e4bef97736e53fff5f63bfdef4 (SHA256) - Hash of malicious index.js in chrome 2.3.1
  • 5c6cb758a3447bc7e0de34406919a933f9351e90ef04ec43f3bbb401e7004e1b (SHA256) - Hash of malicious index.js in compliance-client 4.0.3
  • 5dabf08e2655c012e478074a2cea2b0d34e286c27265a26f3846fc45e5584501 (SHA256) - Hash of malicious index.js in config-manager-client 5.0.4
  • 2a446171b4b981d98b5af6c5606bd63b1570040334210b6ab0a10901b2606fe5 (SHA256) - Hash of malicious index.js in entitlements-client 4.0.11
  • edd86c0efd776a6bd934fc7b0d4d6da2b256e147cfa83bb0c2814e81d849c427 (SHA256) - Hash of malicious index.js in eslint-config-redhat-cloud-services 3.2.1
  • d8d170af3de17bb9b217c52aaaffdf9395f35ef015a57ef676e406c121e5e223 (SHA256) - Hash of malicious index.js in frontend-components-advisor-components 3.8.2
  • 545a1838c66e1771f58d84a17b3e1841e5eeab91a73f4ccc59c9492450a6d9c0 (SHA256) - Hash of malicious index.js in frontend-components-config 6.11.3
  • 080190bffcaafffacca1f0181fc9024aaaa21500ffdc9926fa5b689ba959965d (SHA256) - Hash of malicious index.js in frontend-components-notifications 6.9.2
  • 9b99482b75ee89f0d916f2743deeff381ea727e69c71491822477e67891841ad (SHA256) - Hash of malicious index.js in frontend-components-remediations 4.9.2
  • 17c4312b50d69a6f61515edcf71cfaa8271fe2538b942128cfb639d021d042a7 (SHA256) - Hash of malicious index.js in frontend-components-testing 1.2.1
  • e5f73c888f1250a8895680801975cf177e8c690defd4a999e56f6c08ff64deb8 (SHA256) - Hash of malicious index.js in frontend-components-translations 4.4.1
  • c611e49ea46c91013448942c26049741b434cb5dac55fff7c376ca6a4f28580e (SHA256) - Hash of malicious index.js in hcc-feo-mcp 0.3.1
  • 7cbace2a186cab2c652305b6e33c8eeb10d4a0ec3a0c8b795de012094fa0d845 (SHA256) - Hash of malicious index.js in hcc-kessel-mcp 0.3.1
  • c178cafa2b3bcbefbbc283b5ab8fc6143e46650631f72451a44327f146a609c3 (SHA256) - Hash of malicious index.js in hcc-pf-mcp 0.6.1
  • cffc487ee978f7bc06e3856b286940940658884847d38b619a137b8272a75980 (SHA256) - Hash of malicious index.js in host-inventory-client 5.0.3
  • 8d2a09b3727b50f3d035b58bd35b90b504d24dda73a8a24e926a010a58ba5f74 (SHA256) - Hash of malicious index.js in insights-client 4.0.4
  • 42e165602967c8e1a6fae0113a5179adbe33e18192244fe34b872db09c85e0e6 (SHA256) - Hash of malicious index.js in integrations-client 6.0.4
  • 09b2301d1589416e0d5fb7a602427a9850dee6713ffa741c0efcfeb1eb4c8952 (SHA256) - Hash of malicious index.js in javascript-clients-shared 2.0.8
  • 85b1ed56530bb64d925af4ca50faacd89efb1b63d615238a34adbea9f00e4754 (SHA256) - Hash of malicious index.js in notifications-client 6.1.4
  • df1732f5bfec12e066be44dee02ec8a243e4868d38672c1b1d065359dd735a14 (SHA256) - Hash of malicious index.js in patch-client 4.0.4
  • 7b19ffc2f2bfff75989255e5e807d0f62513153de287eba9cc17003c1dcae8a8 (SHA256) - Hash of malicious index.js in quickstarts-client 4.0.11
  • 396cac9e457ec54ff6d3f6311cb5cc1da8054d019ce3ffa1de5741506c7a4ea4 (SHA256) - Hash of malicious index.js in remediations-client 4.0.4
  • 1a30a9abe20bab121aaa75ed040565af14e6cdfb745609ee0e7b94a2d814fb9c (SHA256) - Hash of malicious index.js in rule-components 4.7.2
  • f961d6897c0ec586cde633e100865b5b1d435cc7c301dbf0f41298ca5b42e17a (SHA256) - Hash of malicious index.js in sources-client 3.0.10
  • b390d9f708760b799ee5482e8050ce093219140627fcaec6df8812ac9abb9a9b (SHA256) - Hash of malicious index.js in tsc-transform-imports 1.2.2
  • d1999fd543085918dd542322c6455abde3c57a93b8f7ce871b8809c8bb744af7 (SHA256) - Hash of malicious index.js in vulnerabilities-client 2.1.8
• Command Lines:
  • Purpose: Executes the malicious dropper during npm package installation | Tools: node, npm | Stage: Execution / Persistence | node index.js
• Other:
  • @redhat-cloud-services/chrome - Malicious npm package published during the supply chain attack (v2.3.1)
  • @redhat-cloud-services/compliance-client - Malicious npm package published during the supply chain attack (v4.0.3)
  • @redhat-cloud-services/config-manager-client - Malicious npm package published during the supply chain attack (v5.0.4)
  • @redhat-cloud-services/entitlements-client - Malicious npm package published during the supply chain attack (v4.0.11)
  • @redhat-cloud-services/eslint-config-redhat-cloud-services - Malicious npm package published during the supply chain attack (v3.2.1)
  • @redhat-cloud-services/frontend-components-advisor-components - Malicious npm package published during the supply chain attack (v3.8.2)
  • @redhat-cloud-services/frontend-components-config - Malicious npm package published during the supply chain attack (v6.11.3)
  • @redhat-cloud-services/frontend-components-notifications - Malicious npm package published during the supply chain attack (v6.9.2)
  • @redhat-cloud-services/frontend-components-remediations - Malicious npm package published during the supply chain attack (v4.9.2)
  • @redhat-cloud-services/frontend-components-testing - Malicious npm package published during the supply chain attack (v1.2.1)
  • @redhat-cloud-services/frontend-components-translations - Malicious npm package published during the supply chain attack (v4.4.1)
  • @redhat-cloud-services/hcc-feo-mcp - Malicious npm package published during the supply chain attack (v0.3.1)
  • @redhat-cloud-services/hcc-kessel-mcp - Malicious npm package published during the supply chain attack (v0.3.1)
  • @redhat-cloud-services/hcc-pf-mcp - Malicious npm package published during the supply chain attack (v0.6.1)
  • @redhat-cloud-services/host-inventory-client - Malicious npm package published during the supply chain attack (v5.0.3)
  • @redhat-cloud-services/insights-client - Malicious npm package published during the supply chain attack (v4.0.4)
  • @redhat-cloud-services/integrations-client - Malicious npm package published during the supply chain attack (v6.0.4)
  • @redhat-cloud-services/javascript-clients-shared - Malicious npm package published during the supply chain attack (v2.0.8)
  • @redhat-cloud-services/notifications-client - Malicious npm package published during the supply chain attack (v6.1.4)
  • @redhat-cloud-services/patch-client - Malicious npm package published during the supply chain attack (v4.0.4)
  • @redhat-cloud-services/quickstarts-client - Malicious npm package published during the supply chain attack (v4.0.11)
  • @redhat-cloud-services/remediations-client - Malicious npm package published during the supply chain attack (v4.0.4)
  • @redhat-cloud-services/rule-components - Malicious npm package published during the supply chain attack (v4.7.2)
  • @redhat-cloud-services/sources-client - Malicious npm package published during the supply chain attack (v3.0.10)
  • @redhat-cloud-services/tsc-transform-imports - Malicious npm package published during the supply chain attack (v1.2.2)
  • @redhat-cloud-services/vulnerabilities-client - Malicious npm package published during the supply chain attack (v2.1.8)