Dozens of Red Hat packages backdoored through its official NPM channel
Anyone who has downloaded affected Red Hat packages should investigate immediately.
Signal weather
Rising
Momentum is building quickly, so this card is a good early entry point into the topic.
Official Red Hat NPM accounts have been compromised and used to push a malicious worm that spreads from machine to machine, where it pilfers sensitive credentials in hopes of stealing yet more confidential data, researchers said. The supply-chain attack began Monday and remained active at the time this post went live, according to researchers at security firm Aikido. It’s the result of the threat actor responsible for the hack taking control of @redhat-cloud-services, a legitimate channel in the npm repository that’s reserved for official Red Hat packages. As such, the channel is widely trusted by developers who rely on Red Hat cloud services. The vicious cycle of today’s supply-chain attacks It’s unclear precisely how the threat actor took control of the namespace, but it almost certainly involved the compromise of credentials required to access it, possibly through a previous supply-chain attack. More than 30 packages seem to be affected. Read full article Comments
Stay on the signal
Follow Dozens of Red Hat packages backdoored through its official NPM channel
Follow this story beyond a single article: new follow-ups, adjacent sources, and the evolving storyline.
Story map
Understand this topic fast
A quick entry into the story: why it matters now, who is involved, and where to go next for context.
Why it matters now
Topic constellation
Open the live map for this story
See which entities, story threads, sources, and follow-up articles shape this story right now.
Click nodes to continue
Entity pages
Story timeline
Continue with this story
A short sequence of events and follow-up stories to understand the arc quickly.
How reliable this looks
Signal and trust for Ars Technica
This source works at a rapid pace: 100% of recent stories land in the hot window, and 0% carry visible search signal.
Reliability
92
Freshness
100
Sources in storyline
2
Related articles
More stories that share tags, source, or category context.
Some ancient microbes frozen with Ötzi the Iceman are still growing
What’s the difference between a person, an artifact, and an ecosystem?
Signal weather
Momentum is building quickly, so this card is a good early entry point into the topic.
Why now
Fresh coverage with immediate momentum.
Is anyone here interested in contributing to this OS?
Comments
Signal weather
Momentum is building quickly, so this card is a good early entry point into the topic.
Why now
Fresh coverage with immediate momentum.
Baby botulism outbreak: FDA still doesn't know cause—or how to prevent it
In the end, the three companies involved all point the finger at each other.
Signal weather
Momentum is building quickly, so this card is a good early entry point into the topic.
Why now
Fresh coverage with immediate momentum.
How a USB-connected speaker can infect a PC without ever being touched
Seller of the Sound Blaster Katana V2X doesn't consider the behavior a vulnerability.
Signal weather
Momentum is building quickly, so this card is a good early entry point into the topic.
Why now
Fresh coverage with immediate momentum.
More from Ars Technica
Fresh reporting and follow-up coverage from the same newsroom.
Scientists ejected from diabetes conference for distributing journal reprints
Those ousted included ADA journal editor-in-chief Steven Kahn and former ADA president Desmond Schatz
Signal weather
Momentum is building quickly, so this card is a good early entry point into the topic.
Why now
Fresh coverage with immediate momentum.
Some ancient microbes frozen with Ötzi the Iceman are still growing
What’s the difference between a person, an artifact, and an ecosystem?
Signal weather
Momentum is building quickly, so this card is a good early entry point into the topic.
Why now
Fresh coverage with immediate momentum.
Baby botulism outbreak: FDA still doesn't know cause—or how to prevent it
In the end, the three companies involved all point the finger at each other.
Signal weather
Momentum is building quickly, so this card is a good early entry point into the topic.
Why now
Fresh coverage with immediate momentum.
How a USB-connected speaker can infect a PC without ever being touched
Seller of the Sound Blaster Katana V2X doesn't consider the behavior a vulnerability.
Signal weather
Momentum is building quickly, so this card is a good early entry point into the topic.
Why now
Fresh coverage with immediate momentum.