Red Hat Cloud Services faced a security breach where attackers exploited the GitHub Actions process in repositories owned by Red Hat Insights. This breach allowed them to publish 64 malicious versions in the NPM directory, affecting 32 NPM packages for Red Hat Cloud Services. Two malicious versions were released for each affected NPM package, containing code to activate a new variant of the mini-shai-hulud worm that searches for tokens and credentials.
The malicious worm was embedded in the index.js file and executed through a preinstall handler when the affected package was installed. Once activated, the worm scanned the system for various tokens and credentials, including those for NPM, PyPI, CircleCI, AWS, GCP, Docker, Azure, HashiCorp, KubernetesK8s, and SSH private keys. The collected data was then sent to the attackers. If an NPM directory token was found, the worm automatically published new malicious releases for packages in the current environment, impacting the dependency tree.
The breach occurred due to compromised access to GitHub Actions, which was obtained by compromising the account of a Red Hat employee. This compromised access allowed attackers to directly push commits to repositories like javascript-clients, frontend-components, and platform-frontend-ai-toolkit without going through the normal review process. Through the compromised commits, a script was launched that leveraged GitHub’s OIDC token to authenticate with NPM using the trusted publishing mechanism.
The NPM packages affected by the breach include:
- @redhat-cloud-services/chrome (2.3.1, 2.3.2)
- @redhat-cloud-services/compliance-client (4.0.3, 4.0.4)
- @redhat-cloud-services/config-manager-client (5.0.4, 5.0.5)
- @redhat-cloud-services/entitlements-client (4.0.11, 4.0.12)
- @redhat-cloud-services/eslint-config-redhat-cloud-services (3.2.1, 3.2.2)
- @redhat-cloud-services/frontend-components (7.7.2, 7.7.3)
- @redhat-cloud-services/frontend-components-advisor-components (3.8.2)