32 Red Hat NPM packages delivered credential‑stealing worm

72‑second push via likely GitHub Actions OIDC: 96 malicious builds across 32 Red Hat NPM packages carried a Mini Shai‑Hulud preinstall worm stealing CI/CD, npm and cloud/K8s creds. Assume compromise—rotate keys, update packages, harden Terraform/Terragrunt; GDPR/NIS2/PCI risk for Romania/EU multi‑cloud.

LoG Soft Grup

In brief

  • Attackers published 96 malicious builds across 32 Red Hat NPM packages within 72 seconds, using preinstall hooks to deliver a credential‑stealing Mini Shai‑Hulud worm.
  • This compromises CI/CD pipelines and widely used libraries with nearly ten million downloads, exposing GitHub Actions secrets, cloud credentials and at least 210 infected developer repositories.
  • Leaders should assume CI/CD compromise, rotate keys, update to clean packages, audit Actions, and harden Terraform/Terragrunt pipelines; engage LoG Soft Grup for multi‑cloud, PCI/GDPR/NIS2 recovery.
  • For Romania/EU regulated estates, accelerate breach reporting, forensic evidence preservation and FinOps‑aware remediation to limit GDPR/NIS2/PCI fines; LoG Soft Grup supports EU delivery.

The problem

Attackers pushed 96 malicious builds across 32 Red Hat NPM packages in a 72‑second window, delivering a preinstall‑hook variant of the Mini Shai‑Hulud worm that can harvest GitHub Actions secrets, npm tokens and cloud/Kubernetes credentials—creating immediate operational exposure and GDPR/NIS2/PCI breach‑notification risk for Romania/EU multi‑cloud estates (AWS/Azure/VMware). Regulated and multi‑cloud teams should assume CI/CD and build systems are compromised and act now; this article explains the practical, ordered steps to contain and remediate (rotate keys, update to clean releases, audit Actions and transitive deps, preserve forensics, and harden Terraform/Terragrunt pipelines) and when to engage LoG Soft Grup for EU‑delivered, FinOps‑aware response and compliance support.

Why this happens

The real mechanism: attackers appear to have compromised CI/CD and used GitHub Actions OIDC to push 96 malicious builds across 32 Red Hat NPM packages in a 72‑second, automated burst—likely leveraging access to the @redhat-cloud-services NPM scope. The malware lived in a preinstall hook (so it ran during npm install, before any library import), harvested GitHub Actions secrets, npm tokens, cloud/Kubernetes/Vault credentials, SSH and Git material, exfiltrated data to an attacker server with a GitHub fallback that published stolen info to public repos, and included logic to enumerate repositories, modify workflows and plant malicious payloads; Ox Security’s finding of 210 repos with stolen credentials shows build and developer environments were already infected. The common mistaken assumption: treating third‑party package installs as low‑risk or trusting vendor provenance leads teams to underestimate attacker reach—preinstall hooks run in build/install contexts and a CI/CD token compromise can turn a trusted package into a mass‑infection vector that hits transitive consumers and pipelines. For Romania/EU regulated, multi‑cloud estates, assume CI/CD/build systems are compromised, rotate keys now, update to clean releases, audit GitHub Actions and transitive deps, harden Terraform/Terragrunt pipelines, preserve forensics and accelerate GDPR/NIS2/PCI reporting; engage LoG Soft Grup for EU‑delivered, FinOps‑aware recovery, pipeline hardening, documentation and knowledge transfer.

Framework

Assume CI/CD Compromise

Treat build and CI systems as breached: revoke and rotate GitHub Actions OIDC trusts, npm tokens and cloud keys immediately, prioritising credentials with largest blast radius; this stops ongoing exfiltration and reduces GDPR/NIS2/PCI breach exposure for Romania/EU estates. Engage LoG Soft Grup for rapid credential orchestration and assisted containment to get keys rotated with minimum operational disruption.

Harden Terraform/Terragrunt Pipelines

Lock down pipeline identity and provenance: enforce least‑privilege OIDC, short‑lived provider credentials, signed modules, locked Terraform/Terragrunt state and module checksums across AWS/Azure/VMware to prevent pipeline hijack and malicious module publication. This reduces attack surface for multi‑cloud estates and is a quick, measurable way to lower future supply‑chain risk and remediation cost.

Contain Build‑Time Execution

Eliminate or isolate preinstall execution paths in CI: run installs in immutable, minimal build containers with no host mounts, forbid arbitrary lifecycle hooks, require SBOMs and package integrity checks, and map transitive dependencies to consuming pipelines. A systems‑thinking view that ties dependency graphs to pipeline boundaries prevents a single malicious publish from cascading across the estate.

Secrets & Key Hygiene

Rotate and revoke exposed secrets immediately, enable secret scanning, move to vaulted short‑lived credentials and granular token scopes, and prioritise rotations by blast radius to control FinOps impact. These capability‑building steps reduce future credential theft impact and create measurable decreases in incident surface over time; LoG Soft Grup can help implement vaulting, automated rotation and secret‑scanning workflows.

Forensics, Reporting & Runbooks

Preserve logs, collect CI/build artifacts, snapshot infected workstations, document timeline and notify your DPO to accelerate GDPR/NIS2/PCI reporting; update incident runbooks and run tabletop drills to shorten time‑to‑remediation. Building documented runbooks and EU‑delivered incident response capability (LoG Soft Grup available for compliant forensics and knowledge transfer) converts one‑off recovery into resilient practice.

How to get started

  1. Revoke and rotate GitHub Actions OIDC trusts, npm tokens, and cloud API keys immediately.
  2. Update all projects to Red Hat clean package versions and rebuild CI images within 24 hours.
  3. Preserve CI/build logs, snapshot infected hosts, and document timeline for GDPR/NIS2/PCI reporting.
  4. Audit GitHub Actions workflows and commit history for unauthorized modifications; quarantine affected repositories.
  5. Lock Terraform/Terragrunt modules with signed checksums, enforce least‑privilege OIDC, and rotate provider credentials.

Risks & trade-offs

  • Assuming CI/CD/build systems are uncompromised (no immediate rotation of OIDC tokens, npm tokens or cloud keys) lets preinstall‑hook malware harvest secrets and propagate across repos and pipelines, creating broad incident blind spots; this is amplified by unmanaged multi‑cloud complexity. LoG Soft Grup can assist with rapid credential orchestration and containment.: incident blind spots
  • Failing to lock Terraform/Terragrunt pipelines, enforce signed modules and least‑privilege OIDC allows attackers to inject or modify infrastructure as code, leading to service outages and difficult rollbacks—reflecting Terraform/Terragrunt drift and brittle infra. LoG Soft Grup helps harden pipelines, enforce checksums and reduce IaC drift.: downtime
  • Not rotating exposed keys or moving to vaulted, short‑lived credentials enables attackers to run or exfiltrate cloud resources, driving unexpected consumption and sustained access—an outcome of rising cloud spend without FinOps controls. LoG Soft Grup can implement vaulting, automated rotation and FinOps‑aware remediation to limit leakage.: cost leakage
  • Neglecting log preservation, forensic snapshots and prompt DPO notification delays GDPR/NIS2/PCI breach reporting and weakens evidentiary posture, increasing regulatory exposure; this reflects a weak PCI/GDPR/NIS2 posture. LoG Soft Grup provides EU‑delivered forensics, runbook support and compliance‑aware reporting.: compliance exposure
  • Operating without documented incident runbooks, tested playbooks and knowledge transfer (especially where AI or dev infra is brittle) prolongs containment and forces conservative rollbacks, slowing deployments and recovery—rooted in missing documentation/runbooks. LoG Soft Grup helps build runbooks, run drills and speed recovery to restore release cadence.: slower release cadence
  • Strategic zoom-out

    Over the next 12–24 months this incident should push organisations to materially change their operating model—treat CI/CD as a regulated perimeter, bake least‑privilege OIDC and short‑lived provider credentials into Terraform/Terragrunt lifecycles, require signed modules and locked state across AWS/Azure/VMware, and run installs in immutable build images with enforced SBOM and lifecycle‑hook policies—while reallocating budget and governance to measurable outcomes (e.g., mean time to revoke/rotate credentials reduced from days to hours, percentage of modules signed). Talent needs will shift from generalist DevOps to focused pipeline‑security engineers and an on‑call incident‑response roster with EU forensic capability; where hiring is hard, plan structured upskilling and retained vendor support. Vendor strategy must add contractual supply‑chain guarantees (SBOMs, provenance, right‑to‑audit, short lead‑times for patches) and prefer partners who support multi‑cloud Terraform/Terragrunt controls and PCI/GDPR/NIS2 evidence collection. Governance and compliance will require updated runbooks, DPO engagement paths, routine tabletop drills, and documented telemetry for prompt GDPR/NIS2/PCI reporting—tied to clear metrics and approval gates before restoring CI trust. Investment discipline should prioritise vaulted secret management, automated rotation, FinOps controls to contain cloud cost leakage from credential misuse, and readiness for AI workloads (model repo protections, secret isolation for inference/training pipelines). For Romania/EU estates, engage an EU‑delivered partner to accelerate this work: LoG Soft Grup can provide hands‑on Terraform/Terragrunt pipeline hardening, rapid credential orchestration, compliant forensics and documentation/knowledge transfer to embed these capabilities without blowing the FinOps budget.

    Next steps we recommend

    If you manage Romania/EU regulated multi‑cloud estates, consider a short InfraShield sprint with LoG Soft Grup to validate whether CI/CD/build systems were compromised, prioritise OIDC/npm/token rotations and preserve EU‑compliant forensic evidence for GDPR/NIS2/PCI reporting. The sprint can produce a prioritized, practical remediation plan focused on Terraform/Terragrunt pipeline hardening and credential orchestration.

    Book assessment