Red Hat npm packages found shipping credential-stealing malware

Researchers at Step Security have uncovered malware hidden inside several npm packages belonging to Red Hat's official @redhat-cloud-services namespace. The malicious code activates automatically through a preinstall hook triggered on every npm install.

The payload is engineered to target credentials for GitHub Actions, Amazon Web Services, Google Cloud Platform, and Microsoft Azure. This breach raises serious supply chain security concerns given Red Hat's trusted position in enterprise software ecosystems.

According to the Step Security blog, the infected packages execute credential harvesting immediately upon installation without any user interaction. The discovery highlights how even verified namespaces can be compromised to distribute malware.

Organizations using any affected packages should assume credentials have been exposed and rotate them immediately. The incident underscores the persistent risk in open-source dependencies, particularly when widely trusted brands act as unwitting vectors.

Red Hat has not yet publicly commented on the findings or issued remediation steps. The researchers recommend auditing all systems for unauthorized access until the scope is fully understood.