Analysis of npm Package Supply Chain Poisoning in Red Hat Cloud Services

A recent analysis by SlowMist has uncovered a supply chain poisoning incident involving 32 npm packages and 96 versions published under the Red Hat Cloud Services organization. This incident is characterized by the presence of malicious code embedded within legitimate package versions, which poses serious risks to developers and CI/CD environments.

What Happened

The investigation revealed that the malicious packages contained a multi-layer obfuscated loader that activates during the installation phase. This loader is capable of executing various harmful actions, including credential harvesting and GitHub API exfiltration. The core payloads of the malicious samples were confirmed to have functionalities such as memory reading from GitHub Actions Runners and the ability to propagate through npm.

On-Chain and Web Evidence

The analysis focused on three specific npm packages: @redhat-cloud-services/frontend-components-config (version 6.11.3), @redhat-cloud-services/types (version 3.6.1), and @redhat-cloud-services/rule-components (version 4.7.2). Each package contained a package.json file with a preinstall script that executed a malicious index.js file, triggering the attack without user intervention.

The malicious payload was protected by multiple layers of obfuscation, including ROT/Caesar letter substitution and AES encryption. The core malicious components shared identical hashes across the samples, indicating a consistent attack methodology despite variations in outer-layer packaging.

Why It Matters

This incident underscores the vulnerabilities inherent in the software supply chain, particularly within the npm ecosystem. Developers and organizations relying on third-party packages must exercise caution and implement robust security measures to mitigate risks associated with dependency management.

To protect against similar threats, it is recommended that organizations conduct thorough audits of their dependencies, monitor installation logs for suspicious activity, and isolate any potentially compromised environments before rotating credentials. Additionally, reviewing GitHub repository activities for unauthorized changes is crucial.