MICROSOFT Threat Intelligence reports a significant npm supply chain attack affecting over 90 versions of 32 maliciously modified packages under the @redhat-cloud-services scope. The attackers compromised the CI/CD pipeline of RedHatInsights, allowing trojanized packages with authentic signatures to be published.
These packages executed a heavily obfuscated dropper script upon installation, downloading a secondary payload designed to steal credentials from various platforms such as GitHub, AWS, Azure, and Kubernetes. The malware targets secrets, uses privilege escalation techniques, and propagates across repositories while employing destruction mechanisms to wipe the victim’s home directory if necessary conditions are met. The attack impacts many developer environments, emphasizing the need for enhanced security measures.