ON June 1, 2026, Red Hat's npm namespace was hijacked, leading to the distribution of malicious packages designed to steal developer credentials and cloud secrets. The attack involved publishing 32 compromised packages within 72 seconds, leveraging Red Hat's trusted ecosystem and utilizing an obfuscated preinstall script that ran automatically during installation. The malware aims to collect keys and tokens from developers' machines and attempt to spread further.
Researchers highlighted the breach of GitHub Actions OIDC tokens for publishing, raising concerns over the security of trusted publishing methods. Organizations are advised to audit their systems and credentials as a precaution against potential compromises.