Red Hat hit by npm supply‑chain attack - here's how to stay safe

https://www.zdnet.com/a/img/resize/c094090a51b00a12a4836f730b1dd2ce69a4b9f1/2026/06/03/3358fe44-baa7-43cd-8eb6-0a7af191727f/gettyimages-2205112124.jpg?auto=webp&fit=crop&height=675&width=1200

Follow ZDNET: Add us as a preferred source on Google.


ZDNET's key takeaways

  • Red Hat was the victim of an npm security breach.
  • The company has removed the affected packages.
  • Check whether you use @redhat-cloud-services npm namespace.

The npm repository namespace --the JavaScript runtime environment Node.js package manager -- is infamous for security breaches. Now, Red Hat, which, with IBM, just announced Project Lightwell, an AI-powered initiative to find and fix open-source software vulnerabilities, has an npm problem of its own.

Also: Open-source security is a mess - IBM and Red Hat bet $5 billion and 20,000 engineers can fix it

Dozens of JavaScript packages in the company's @redhat-cloud-services namespace were backdoored with credential-stealing malware targeting secrets in Red Hat developers' and continuous integration and continuous deployment (CI/CD) systems. The security research company Aikido reported that the namespace was "compromised with a credential-stealing worm.In total, 96...

Copyright of this story solely belongs to zdnet.com. To see the full text click HERE