:

MALWARE IN NPM PACKAGES TARGETS CLOUD CREDENTIALS

DEV DESK2 MIN READ
MON, JUN 1, 2026

■ AI-SUMMARIZED FROM 5 SOURCES ▸ TIMELINE

Researchers discovered malicious packages in the @redhat-cloud-services npm namespace that harvest credentials for GitHub Actions, AWS, GCP, Azure, and other cloud platforms. The malware executes via preinstall hooks during npm installation.

Security researchers at Step Security identified several packages within the @redhat-cloud-services npm scope containing malicious payloads designed to steal credentials from major cloud platforms and development tools. The attack exploits npm's preinstall hook mechanism, which runs automatically when developers install packages. This approach allows the malware to execute before users notice suspicious activity, making detection difficult. Targeted credentials include authentication tokens for: - GitHub Actions - Amazon Web Services (AWS) - Google Cloud Platform (GCP) - Microsoft Azure - Additional cloud and development platforms The @redhat-cloud-services namespace suggests the packages were designed to appear legitimate to developers working with Red Hat services. This typosquatting-adjacent technique leverages trust associated with established organizations to increase installation rates. Once installed, the preinstall hook fires on every npm install command, potentially compromising credentials across multiple machines and development environments. Stolen credentials could grant attackers access to cloud infrastructure, CI/CD pipelines, and sensitive project resources. The discovery highlights ongoing supply chain vulnerabilities in the npm ecosystem. Developers installing packages from compromised namespaces face significant risk, particularly when packages request broad permissions or execute code during installation phases. Step Security recommends developers: - Audit recent npm installations - Review cloud platform access logs for suspicious activity - Rotate credentials if exposed - Implement package verification tools - Monitor preinstall hook execution Npm has not yet published an official advisory at time of reporting. The incident underscores the importance of scrutinizing package sources and implementing security checks in dependency management workflows.

■ SOURCES

TechmemeTechmemeTechmemeTechmemeTechmeme

■ SUMMARY WRITTEN BY AI FROM THE LINKS ABOVE

■ MORE FROM THE SECURITY DESK

Immigration and Customs Enforcement has renewed a $25 million annual contract with a Thomson Reuters subsidiary to access data broker tools for identifying unaccompanied minors and investigating fraud.

1H AGOIndustry Desk

Abbott Laboratories is investigating two separate cybersecurity incidents involving unauthorized access to internal systems and alleged data theft, with attackers reportedly making extortion demands.

8H AGOAI Desk

A method has emerged allowing Zoom participants to prevent meetings from being recorded without administrator approval. The technique highlights growing concerns about automatic transcription and recording practices.

8H AGOSecurity Desk

Volkswagen has implemented client assertion requirements that break Home Assistant's ability to access Volkswagen vehicles, blocking a popular third-party integration used by thousands of smart home users.

8H AGOIndustry Desk

■ SUBSCRIBE TO THE DAILY BRIEF

ONE EMAIL, 5 STORIES, 06:00 UTC. UNSUBSCRIBE ANYTIME.