npm4 articles
Red Hat npm Packages Backdoored in Supply Chain Attack Stealing Cloud Credentials
Over 30 npm packages under Red Hat's '@redhat-cloud-services' namespace were backdoored in a supply-chain attack, after attackers compromised a Red Hat employee's GitHub account and used it to publish malicious package versions containing credential-stealing malware. The malware, dubbed "Miasma," is a variant of the Shai-Hulud framework and was designed to steal a wide range of sensitive data including cloud credentials, SSH keys, CI/CD tokens, and environment files from developers who installed the affected packages. Red Hat removed the compromised packages and stated that they were limited to internal development tooling with no confirmed impact on customer environments, though the investigation remains ongoing.
How One Unrotated Token Gave Hackers Access to Grafana's Codebase
Grafana's data breach stemmed from a single GitHub workflow token that was accidentally missed during a credential rotation following the TanStack npm supply-chain attack, in which malicious packages infected with credential-stealing malware exfiltrated tokens from Grafana's CI/CD environment. The overlooked token allowed attackers to access private repositories, from which they stole source code and internal business contact information, though no customer production data or systems were compromised. Grafana confirmed that its codebase was not modified during the incident, meaning downloaded code remains safe, and users are not required to take any action.
Another npm Account Hijacked, 314 Packages Poisoned in Under Half an Hour
A compromised npm account infected 314 JavaScript packages — including popular ones like size-sensor and echarts-for-react with millions of monthly downloads — with malware that steals credentials for cloud platforms, GitHub, and npm, and uses GitHub as a command-and-control backdoor. The attack, which unfolded in just 22 minutes, follows the same pattern as a similar incident three weeks ago and is part of an ongoing wave of npm supply chain attacks dubbed "Shai-Hulud." Developers who installed affected versions are advised to rotate all credentials, while npm owner GitHub has said little about the continuing series of incidents.
OpenAI Hit by TanStack Supply Chain Attack After Two Employee Machines Infected
OpenAI confirmed it was caught up in the "Mini Shai-Hulud" npm supply chain attack, in which malware hidden in compromised TanStack packages reached two employee devices and allowed attackers to steal a limited amount of internal credentials. The two affected machines had not yet received updated supply chain security controls that would have blocked the malicious dependency. As a precaution, OpenAI is rotating signing certificates for several desktop products — including ChatGPT Desktop, Codex App, and Codex CLI — and says there is no evidence that customer data or production systems were compromised.