Red Hat Linux users are at risk from attacks via malicious npm packages

Red Hat Linux users are at risk from a hacking attack that could allow rogue npm packages to infect their systems. The attackers steal credentials to access sensitive information. They misused Red Hat's official account for npm packages.

Several npm packages in the official npm channel @redhat-cloud-services contain malicious code that is automatically executed upon each installation of an npm package. IT security companies Step Security and Aikido discovered this yesterday. Npm is a management tool for functional pieces of JavaScript code, the so-called packages. These packages can be a complete application or app, but can also be just components for other software.

This hacking attack abuses the supply chain that many developers use to create their own products and services. The official Red Hat account in the npm repository enjoys the status of a trusted source for the code pieces. The malicious code in the 32 infected npm packages is hidden under three layers of concealment that fool security scanners.

Once activated, the malware steals login credentials for various developer and cloud services. This includes GitHub Actions, Amazon Web Services, Google Cloud, Microsoft Azure, Kubernetes, HashiCorp Vault, CircleCI, and npm itself. Login details for those services give the attackers access to sensitive information.

Worm functionality

The malware distributed via Red Hat is also a so-called worm: code that can replicate itself and spread further. It uses stolen npm access tokens and npm's built-in ability to bypass two-factor authentication. This allows this malware to independently implant a backdoor into other npm packages. This worm functionality allows infected computers to infect other systems, without the attackers doing this themselves or directly.

It is not yet clear how the attackers gained access to Red Hat's official npm channel. According to Ars Technica, it is almost certain that the credentials for Red Hat's npm account have been compromised. This may be due to a previous supply chain attack. Red Hat confirms the attack, reports that it has removed the infected packages and is investigating the matter.

Attack route with a long run-up

Step Security reports that all infected packages from the @redhat-cloud-services channel come from the GitHub repository RedHatInsights/javascript-clients, via the OpenID Connect authentication option of automation tool GitHub Actions. According to Step Security, this attack route indicates that Red Hat's continuous integration and development (CI/CD) development environment has been compromised. This would mean a long run-up to this hacking attack, which appears to have considerable reach.

Tweakers has previously published a background story on supply chain attacks via npm packages. Last year there were several attacks via the powerful and therefore risky system for distribution and use of pieces of software code.