MALWARE IN NPM PACKAGES TARGETS CLOUD CREDENTIALS

Security researchers at Step Security identified several packages within the @redhat-cloud-services npm scope containing malicious payloads designed to steal credentials from major cloud platforms and development tools. The attack exploits npm's preinstall hook mechanism, which runs automatically when developers install packages. This approach allows the malware to execute before users notice suspicious activity, making detection difficult. Targeted credentials include authentication tokens for: - GitHub Actions - Amazon Web Services (AWS) - Google Cloud Platform (GCP) - Microsoft Azure - Additional cloud and development platforms The @redhat-cloud-services namespace suggests the packages were designed to appear legitimate to developers working with Red Hat services. This typosquatting-adjacent technique leverages trust associated with established organizations to increase installation rates. Once installed, the preinstall hook fires on every npm install command, potentially compromising credentials across multiple machines and development environments. Stolen credentials could grant attackers access to cloud infrastructure, CI/CD pipelines, and sensitive project resources. The discovery highlights ongoing supply chain vulnerabilities in the npm ecosystem. Developers installing packages from compromised namespaces face significant risk, particularly when packages request broad permissions or execute code during installation phases. Step Security recommends developers: - Audit recent npm installations - Review cloud platform access logs for suspicious activity - Rotate credentials if exposed - Implement package verification tools - Monitor preinstall hook execution Npm has not yet published an official advisory at time of reporting. The incident underscores the importance of scrutinizing package sources and implementing security checks in dependency management workflows.