ACCORDING to StepSecurity, a malicious Traefik Helm chart (version 39.0.7) was planted in the deprecated Kubernetes stable repository hosted at storage.googleapis[.]com/kubernetes-charts, a bucket archived in 2020 but still trusted by millions of pipelines. The compromise injects a file named templates/helm-config[.]yaml, which delivers a pre-install Kubernetes Job designed to harvest credentials and exfiltrate them to http://rspds[.]de/report, with data sent to the C2 server at 51.15.242[.]87 via an HTTP POST.
The exfiltration domain rspds[.]de, registered on 9 April 2026, points to a Scaleway VPS in Paris, where DNS-based fallback on port 53 is also present. Attack activity began by 13 April 2026, and the official Traefik v39.0.7 chart released on 30 March 2026 is contrasted with the fabricated version served from the deprecated bucket; the official SHA256 fingerprint is 55a7384ae3a69af13e7dd7f898304a1f9890791e6712774635cd3a2df34da4c8. Organizations are urged to run helm repo list and rotate credentials if deprecated URLs are detected.