Multiple official @redhat-cloud-services npm packages were compromised with a credential-stealing worm derived from the open-sourced Mini Shai-Hulud malware, targeting cloud credentials, and developer tooling across CI/CD pipelines.
Redhat employee had leaked credentials, threat actor used those credentials to push some files to GitHub, which executed the code in a GitHub action which had trusted access to publish to NPM.
Essentially, an employee got owned and someone used their access (that they already had) to publish the nefarious code.
You’ll see GitHub Actions in these often, as that’s how a lot of big open source organizations publish their packages and run tests/deployments.
Its less of a “GitHub bases problem” and more of a “trust boundary problem”, if they used other services, the same problem could likely have still been successful.
Redhat employee had leaked credentials, threat actor used those credentials to push some files to GitHub, which executed the code in a GitHub action which had trusted access to publish to NPM.
Essentially, an employee got owned and someone used their access (that they already had) to publish the nefarious code.
You’ll see GitHub Actions in these often, as that’s how a lot of big open source organizations publish their packages and run tests/deployments. Its less of a “GitHub bases problem” and more of a “trust boundary problem”, if they used other services, the same problem could likely have still been successful.
Thx for the explanation.