Malicious npm packages detected across Red Hat Cloud Services

Posted by kurmiashish 1 day ago

Malicious npm packages detected across Red Hat Cloud Services(github.com)

659 points | 356 commentspage 3

arianvanp 1 day ago|

Given they use nx my bet is on developer laptop compromise through the nx vscode extension that also compromised GitHub engineer's laptop

dist-epoch 1 day ago|

the security of their packages should not depend on one laptop being compromised

czbond 1 day ago||

Podman? Podman for OSX comes with a login item from "Red Hat, Inc". Anyone know how to check if this subcomponent utilizes these npms?

zeraye 1 day ago||

There is some effort to make NPM more secure https://github.com/npm/cli/pull/9360.

general_reveal 1 day ago||

That’s why I switched to Java.

Rp8yXmdmr 1 day ago||

You are absolutely right. The dangerous part of NPM packages is the post-install script. Therefore moving from JavaScript to Java removes the threat.

OrangeMusic 13 hours ago|||

You joke but, yeah, when you think about it, the problem with Javascript is the 'script' part. That's actually correct.

grezql 1 day ago|||

[dead]

keyle 1 day ago|||

    AbstractFinalFactoryShaiHuludSerialisedFactory

exabrial 1 day ago|||

https://dayssincelastjavascriptframework.com

general_reveal 1 day ago|||

Yeah but you don’t have to use that I think. I think us Node people can just pretend to write Ecmascript 2 in Java and be fine.

UqWBcuFx6NV4r 1 day ago|||

…. lol

mschuster91 1 day ago||

Meh maven plugins are just as juicy a target as npm is

exabrial 1 day ago|||

https://github.com/s4u/pgpverify-maven-plugin

If you want paranoid mode, you can verify literally every part of the maven build process.

general_reveal 1 day ago|||

What do u recommend?

phishin 1 day ago||

Chainguard based images, packages and libraries are first line of defense. Expensive? Yes. Foolproof? No. I think these types services will be mandatory in the near future.

dralley 1 day ago|

How would that help? These are not general purpose, base system libraries, these are libraries specific to a product that uses them. Either you're not using them and hence they would not be installed in the first place, or you're using them because you have the product installed.

Though I would expect that Insights uses RPM packages to ship components and not the public NPM packages.

SSLy 1 day ago||

it wouldn't surprise me if insights was in fact a wrapper around npm install

cozzyd 1 day ago||

https://access.redhat.com/articles/7139622

paulbjensen 1 day ago||

Looks like RedHat got compromised by a Black Hat…

freakynit 1 day ago||

Lol.. yet again npm and install-scripts abuse at play.

Updated:

1. All exploitation techniques used since May 2025: https://npm-supply-chain-attack-techniques.pagey.site/

2. All attacks that happened since May 2025: https://npm-supply-chain-attacks-25-26.pagey.site/

wg0 1 day ago||

Question - is there no way to catch these criminals?

a13n 1 day ago|

It’s difficult to determine which individuals are involved and even if you manage to do that they almost certainly live in countries without extradition.

ex-aws-dude 1 day ago|

Has anyone thought of having an agent review all dependency upgrades before upgrading?

I feel like that would at least catch some of these

insanitybit 23 hours ago||

Yes, I do this. It absolutely would catch some of these.

asxndu 1 day ago||

[dead]

More comments...