{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/@redhat-cloud-services-namespace/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["@redhat-cloud-services namespace"],"_cs_severities":["medium"],"_cs_tags":["npm","supply-chain","package-hijacking"],"_cs_type":"advisory","_cs_vendors":["Red Hat"],"content_html":"\u003cp\u003eA new wave of malicious activity has been reported targeting the npm ecosystem. This incident involves the hijacking of multiple packages within the legitimate \u003ccode\u003e@redhat-cloud-services\u003c/code\u003e namespace. While the specifics of the malicious code\u0026rsquo;s functionality are not detailed in this brief, the compromise of a trusted namespace poses a significant supply chain risk. Developers and organizations using these packages may unknowingly introduce malicious code into their projects, potentially leading to data theft, system compromise, or other malicious activities. This incident underscores the importance of supply chain security and the need for robust package verification mechanisms.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains unauthorized access to the npm account or credentials associated with the \u003ccode\u003e@redhat-cloud-services\u003c/code\u003e namespace.\u003c/li\u003e\n\u003cli\u003eCompromised account is used to publish malicious versions of existing packages within the namespace.\u003c/li\u003e\n\u003cli\u003eDevelopers unknowingly install the compromised packages as dependencies in their projects using \u003ccode\u003enpm install\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe malicious code within the hijacked package is executed during the build or runtime of the application.\u003c/li\u003e\n\u003cli\u003eMalicious code performs an action, such as exfiltrating environment variables or other sensitive data.\u003c/li\u003e\n\u003cli\u003eData is sent to attacker-controlled infrastructure.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe hijacking of npm packages within the \u003ccode\u003e@redhat-cloud-services\u003c/code\u003e namespace can have significant consequences. Developers and organizations that rely on these packages may unknowingly introduce malicious code into their projects. This can lead to data theft, system compromise, or other malicious activities. The scope of the impact depends on the popularity and usage of the compromised packages.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor npm package installations for unexpected versions or changes in dependencies, especially within the \u003ccode\u003e@redhat-cloud-services\u003c/code\u003e namespace (see rules below).\u003c/li\u003e\n\u003cli\u003eImplement software composition analysis (SCA) tools to detect known vulnerabilities and malicious code in npm packages.\u003c/li\u003e\n\u003cli\u003eEnable logging of npm package installations and usage to facilitate incident investigation.\u003c/li\u003e\n\u003cli\u003eRegularly audit npm dependencies to identify and remove any suspicious or unnecessary packages.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-06-01T22:26:22Z","date_published":"2026-06-01T22:26:22Z","id":"https://feed.craftedsignal.io/briefs/2026-06-redhat-npm-hijack/","summary":"Multiple npm packages within the legitimate @redhat-cloud-services namespace have been hijacked with malicious code, posing a supply chain risk.","title":"Red Hat Cloud Services npm Packages Hijacked","url":"https://feed.craftedsignal.io/briefs/2026-06-redhat-npm-hijack/"}],"language":"en","title":"CraftedSignal Threat Feed — @Redhat-Cloud-Services Namespace","version":"https://jsonfeed.org/version/1.1"}