Compromised Red Hat npm packages downloaded over 80,000 times in one week – supply chain attack still ongoing

News
By published

TeamPCP copycats are complicating things on npm and GitHub

Digital crime by an anonymous hacker
(Image credit: Shutterstock)
  • Red Hat npm packages compromised with Mini Shai-Hulud variant
  • Attackers target GitHub secrets and cloud credentials
  • Copycat worm shows themed but similar tradecraft

Numerous Red Hat npm packages were recently compromised and tainted with a variant of the Mini Shai-Hulu worm, targeting GitHub Actions secrets, npm tokens, and other valuable information. Thousands of developers and projects are potentially at risk.

Recently, a single Red Hat employee has had their GitHub account compromised. The miscreants used the access to infiltrate, and then compromise, dozens of npm packages.

Wiz, for example, identified 32 packages so far, which receive around 80,000 downloads a week. Socket, on the other hand, claims to have identified 95 packages. Both outfits confirmed that the attack is currently ongoing, and hinted that the number of infected packages will probably grow even bigger.

Latest Videos From

TeamPCP copycats

All of the packages were published under the Red Hat Cloud Services namespace. The company confirmed the attack to The Register, and said it removed the compromised content. “The packages are strictly limited to internal development, and the malicious code was never published for customer consumption via the console.redhat.com system. While our investigation is ongoing, we have not identified any impact to customer or partner environments or Red Hat production systems.”

Socket says the attackers are going after people’s GitHub Actions secrets, npm tokens, cloud credentials, Kubernetes and Vault material, SSH keys, Git credentials, and other sensitive files. “It also includes encrypted exfiltration logic and GitHub-based fallback mechanisms, indicating that the attacker was not only attempting to steal credentials, but also potentially enable further supply chain propagation.”

Originally, the group behind the Mini Shai-Hulud attack was TeamPCP. However, they open-sourced the worm, resulting in the emergence of copycats and other threat actors employing a similar strategy. Miniature, cosmetic changes seen in this campaign, point to one such group.

Wiz claims all references to the Dune universe were replaced by Greek mythology themes, but apart from that, the underlying functionality and tradecraft “remain substantially similar”. One notable difference in this worm is collecting Google Cloud Platform and Microsoft Azure identities, as well as all the identities that the infected machine has access to.

Via The Register

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Google logo on a black background next to text reading 'Click to follow TechRadar'

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.