Dozens of Red Hat packages backdoored through its official NPM channel Red Hat’s official NPM accounts were compromised in a supply-chain attack, allowing a malicious worm to spread and steal sensitive credentials. The worm, dubbed Shai-Hulud, targets CI/CD systems and republishes backdoored packages to third-party accounts. Organizations that installed affected packages are advised to treat their systems as potentially compromised.

• Official Red Hat NPM accounts (@redhat-cloud-services) were compromised, pushing a malicious worm.
• The worm, named Shai-Hulud, steals sensitive credentials like GitHub secrets, npm tokens, and Kubernetes material.
• It spreads by republishing backdoored packages and targets CI/CD systems.
• The attack involved compromising Red Hat’s GitHub Actions OIDC, likely through a prior supply-chain attack.
• Red Hat stated the malicious code was limited to internal development and did not impact customer environments.
• Security firms Aikido and Socket identified affected packages and provided indicators of compromise. Continue reading https://arstechnica.com/security/2026/06/dozens-of-red-hat-packages-backdoored-through-its-offical-npm-channel/