Researchers discovered malicious packages in the @redhat-cloud-services npm namespace that harvest credentials for GitHub Actions, AWS, GCP, Azure, and other cloud platforms. The malware executes via preinstall hooks during npm installation.
Security researchers at Step Security identified several packages within the @redhat-cloud-services npm scope containing malicious payloads designed to steal credentials from major cloud platforms and development tools.
The attack exploits npm's preinstall hook mechanism, which runs automatically when developers install packages. This approach allows the malware to execute before users notice suspicious activity, making detection difficult.
Targeted credentials include authentication tokens for:
- GitHub Actions
- Amazon Web Services (AWS)
- Google Cloud Platform (GCP)
- Microsoft Azure
- Additional cloud and development platforms
The @redhat-cloud-services namespace suggests the packages were designed to appear legitimate to developers working with Red Hat services. This typosquatting-adjacent technique leverages trust associated with established organizations to increase installation rates.
Once installed, the preinstall hook fires on every npm install command, potentially compromising credentials across multiple machines and development environments. Stolen credentials could grant attackers access to cloud infrastructure, CI/CD pipelines, and sensitive project resources.
The discovery highlights ongoing supply chain vulnerabilities in the npm ecosystem. Developers installing packages from compromised namespaces face significant risk, particularly when packages request broad permissions or execute code during installation phases.
Step Security recommends developers:
- Audit recent npm installations
- Review cloud platform access logs for suspicious activity
- Rotate credentials if exposed
- Implement package verification tools
- Monitor preinstall hook execution
Npm has not yet published an official advisory at time of reporting. The incident underscores the importance of scrutinizing package sources and implementing security checks in dependency management workflows.
Immigration and Customs Enforcement has renewed a $25 million annual contract with a Thomson Reuters subsidiary to access data broker tools for identifying unaccompanied minors and investigating fraud.
Abbott Laboratories is investigating two separate cybersecurity incidents involving unauthorized access to internal systems and alleged data theft, with attackers reportedly making extortion demands.
A method has emerged allowing Zoom participants to prevent meetings from being recorded without administrator approval. The technique highlights growing concerns about automatic transcription and recording practices.
Volkswagen has implemented client assertion requirements that break Home Assistant's ability to access Volkswagen vehicles, blocking a popular third-party integration used by thousands of smart home users.