Malicious code hid inside Red Hat’s npm packages and spread to steal cloud keys

Some of the software building blocks shipped under Red Hat’s name spent a stretch of time quietly working against the people who installed them. Hidden inside more than 30 packages in the company’s public @redhat-cloud-services collection was a small script wired to run the instant a developer installed any of them. It was set as what npm calls a preinstall step, the kind of automatic setup task the tool runs on its own, before a single line of the real software loads. Its job was to find passwords, and then to spread.

Red Hat does not make apps that most people open by name, but its code sits underneath an enormous amount of what they use every day: the cloud dashboards a bank logs into, the systems hospitals and government agencies run on, the tooling other companies build their own products with. When code carrying that label turns hostile, the blast radius is not one app. It is everything assembled on top of it.

The hidden script went hunting for the keys that unlock modern computing. According to the security firm StepSecurity, which first flagged the packages, it scooped up access tokens for Amazon Web Services, Google Cloud, Microsoft Azure, Kubernetes, HashiCorp Vault, npm itself and the automation service CircleCI, along with the secrets stored inside GitHub’s build pipelines. To reach them it read the raw memory of the running build process, a trick that slips past the safeguards meant to keep secrets out of logs.

What turns an ordinary data theft into something closer to an outbreak is what the code did next. Armed with stolen npm publishing tokens, it tried to push freshly backdoored versions of any other packages the hijacked account could touch, using a setting that waves away the two-factor check normally standing in the way. A theft that copies itself does not stay with its first victims. It travels along the same trust the whole system is built on.

On developers’ own machines the payload reached further, planting instructions inside Visual Studio Code’s task settings and the configuration for Claude Code, the AI coding assistant, so it could keep running long after the install finished. The people most likely to pull these packages, the engineers who maintain everyone else’s software, were also the ones whose laptops became a foothold.

The most uncomfortable detail is where the bad versions came from. Red Hat’s developers, acknowledging the problem on the project’s public issue tracker, and the researchers who took the code apart agree that the poisoned releases went out through Red Hat’s own automated publishing pipeline, the machinery that takes code from its repositories and ships it to the world. The attackers did not impersonate Red Hat. For a window of time, they could publish as Red Hat. The mark of trust and the thing being trusted came apart.

This is not the first time the open-source supply chain has been turned into a delivery route. Poisoned browser extensions and hijacked developer accounts have surfaced repeatedly through the spring, each one exploiting the same habit: modern software is glued together from thousands of free components nobody writes from scratch. What makes this case land harder is the name on the box. The entire reason to pull code from a vendor like Red Hat, rather than an anonymous contributor, is that the name is supposed to be the guarantee. Strip that away and the convenience that makes modern software fast to build becomes the same channel an attacker uses to reach everyone downstream at once.

What the incident does not mean is worth stating plainly. There is no sign so far that ordinary consumer devices were infected, or that Red Hat’s paid enterprise products and the production systems its customers run were broken into. The malicious versions targeted the messy middle of software development, the automated build servers and the engineers’ machines, and many of the affected packages are front-end and developer tooling rather than the core of any live service. The picture is also still moving, and the exact count of tainted packages has shifted as Red Hat and outside researchers work through the list. The damage that matters most, stolen credentials, stays invisible until someone uses them.

Red Hat has been removing the malicious versions, and the compromised releases are being pulled from npm. Anyone who installed them in the affected window is being told to treat every token the build could see as burned and to rotate them. The disclosure landed at the start of June, and the cleanup will outlast the headlines. The structural problem will outlast the cleanup: the internet is assembled, at speed, from millions of small parts maintained by people we will never meet, and increasingly by automated systems that can be hijacked to sign those parts on their behalf.

Tags: Cybersecurity, supply chain attack, npm, malware