Slow Fog: Red Hat cloud service npm package suffers from active supply chain attacks, with stolen credentials found in over 300 GitHub repositories
SlowMist has issued a security alert, detecting an active npm supply chain attack targeting @redhat-cloud-services related packages. Currently, over 31 packages have been confirmed affected, with a weekly download volume of approximately 116,000 times, and stolen credentials exist in more than 300 GitHub repositories. This attack method is highly similar to the previous "Shai-Hulud" npm attack, including credential theft, creation of malicious repositories, and automated secret leakage. New suspicious repositories continue to emerge, indicating that the attack is still ongoing, and developers are still being continuously infected.
Potential harms include: theft of GitHub/npm tokens, leakage of AWS/GCP/Azure cloud credentials, collection of SSH keys and Kubernetes secrets, leakage of local environment and wallet data, creation of malicious repositories and persistence operations, and even potentially destructive actions after tokens are revoked. It is recommended to immediately remove or downgrade affected @redhat-cloud-services package versions, conduct a comprehensive audit of CI/CD workflows and dependency installations, rotate all GitHub, npm, cloud service, SSH, and wallet-related keys, retain logs, and rebuild exposed developer machines or Runners from clean images while maintaining a high level of vigilance.
You may also like
The most secretive AI winner
Former ByteDance employee's account: How I started with two Pinduoduo hard drives and made six times the profit with Seagate to achieve financial freedom?
MiCA reshuffle begins, Binance temporarily bids farewell to the EU
How does Gate redo "buying and selling stocks" from the cryptocurrency world to the stock market?
Visa and Mastercard join 140 giants to launch a new stablecoin, but the impact on the market landscape may still be limited
Circle CEO responds to OUSD's challenge: Stablecoins are a winner-takes-all business, and we will not slow down
Argentina vs Cape Verde: When a Record-Breaking Legend Meets an Unbreakable Underdog
WEEX exclusive pre-match analysis of Argentina vs Cape Verde, exploring Messi-led Argentina’s dominance and Cape Verde’s historic defensive breakout, with a breakdown of volatility, structure, and match dynamics.
