Post Syndicated from jzb original https://lwn.net/Articles/1075742/

StepSecurity is reporting
that a number of npm packages in the @redhat-cloud-services
scope include malware that runs automatically on every npm
install:

The payload is a multi-stage credential harvester that sweeps
GitHub Actions secrets along with AWS, GCP, Azure, Kubernetes,
HashiCorp Vault, npm, and CircleCI tokens, and it is purpose-built to
evade detection, including an explicit attempt to bypass StepSecurity
Harden-Runner.

StepSecurity analyzed @redhat-cloud-services/[email protected] in full. Its
index.js, executed at install time, is 4.2 MB, a file that should
weigh a few kilobytes, with the real payload buried under three
separate layers of obfuscation. The malware is also a self-propagating
worm: using stolen npm tokens and npm’s bypass_2fa parameter, it
republishes backdoored versions of other packages on its own, even
against accounts protected by two-factor authentication, so every
infected machine can seed the next wave with no attacker
involvement. All affected packages were published via GitHub Actions
OIDC from the RedHatInsights/javascript-clients repository, indicating
the upstream CI/CD pipeline itself was compromised. Analysis of the
remaining packages is ongoing.

A blog
post from SafeDep has additional analysis about the incident. We did not find an advisory from Red Hat on this yet.