Supply Chain Attack on Red Hat's npm Channel Distributes Backdoored Packages

A recent supply chain attack targeted Red Hat’s official npm channel, where threat actors compromised legitimate accounts to distribute over 30 backdoored packages. The malware, dubbed Shah Halude, executes during the npm install process, harvesting sensitive credentials such as GitHub action secrets, npm tokens, Kubernetes configurations, and cloud service credentials. The worm propagates by republishing infected packages to third-party accounts accessible from the compromised device, creating a self-spreading infection chain. Researchers suspect the attack stemmed from credential compromise, possibly via a prior supply chain breach, though the exact method remains unclear. The malware shares characteristics with open-source malware promoted in a competition offering $1,000 for the largest supply chain attack. Organizations using affected packages within the past 36 hours are advised to assume compromise of workstations, CI/CD pipelines, and cloud credentials. The incident underscores risks in supply chain security, particularly when relying on trusted vendor repositories.