Multiple redhat-cloud-services npm packages compromised (StepSecurity Blog)

StepSecurity is reportingthat a number of npm packages in the @redhat-cloud-servicesscope include malware that runs automatically on every npminstall:

The payload is a multi-stage credential harvester that sweepsGitHub Actions secrets along with AWS, GCP, Azure, Kubernetes,HashiCorp Vault, npm, and CircleCI tokens, and it is purpose-built toevade detection, including an explicit attempt to bypass StepSecurityHarden-Runner.

StepSecurity analyzed @redhat-cloud-services/host-inventory-client@5.0.3 in full. Itsindex.js, executed at install time, is 4.2 MB, a file that shouldweigh a few kilobytes, with the real payload buried under threeseparate layers of obfuscation. The malware is also a self-propagatingworm: using stolen npm tokens and npm's bypass_2fa parameter, itrepublishes backdoored versions of other packages on its own, evenagainst accounts protected by two-factor authentication, so everyinfected machine can seed the next wave with no attackerinvolvement. All affected packages were published via GitHub ActionsOIDC from the RedHatInsights/javascript-clients repository, indicatingthe upstream CI/CD pipeline itself was compromised. Analysis of theremaining packages is ongoing.

A blogpost from SafeDep has additional analysis about the incident. We did not find an advisory from Red Hat on this yet.