Malware Found Lurking in Red Hat npm Packages Targeting Cloud Creds

Security researchers at Step Security discovered that multiple packages within the @redhat-cloud-services npm namespace were shipping straight-up malware. The malicious payloads targeted credentials for GitHub Actions, AWS, GCP, and other cloud services.

The attack vector is deviously simple. The compromised packages used npm preinstall hooks — scripts that execute automatically every time a developer runs npm install. No user interaction required beyond the install command itself.

That means any developer or CI/CD pipeline pulling these packages was silently handing over cloud credentials without knowing it. GitHub Actions workflows were particularly at risk, given how deeply they integrate with cloud infrastructure.

The scope of affected packages within the @redhat-cloud-services namespace hasn't been fully detailed, but the implications are ugly. Supply chain attacks through trusted namespaces remain one of the nastiest threats in modern software development.