Security researchers uncovered dozens of malicious NPM packages that masqueraded as Red Hat modules. The code was injected via the Shai-Hulud worm, which first appeared in a $1,000 bounty competition run by the hacker collective TeamPCP. By exploiting GitHub Actions OpenID Connect, the attackers breached Red Hat’s CI/CD pipeline and published the backdoors to the registry. The packages were downloaded thousands of times before removal.

Red Hat responded that the compromised packages were limited to internal development and never reached customers through the console.redhat.com portal. An internal email confirmed removal of the malicious code and said no impact was detected on production systems or partner environments. Nonetheless, any developer who installed the packages in the last 36 hours should assume credential theft and investigate immediately.

The incident illustrates how supply‑chain attacks can cascade from a single compromised CI/CD credential to dozens of downstream projects. Earlier breaches at Checkmarx and Trivy showed similar propagation, underscoring the difficulty of fully eradicating malware once it reaches build pipelines. Organizations must audit their NPM dependencies and enforce stricter OIDC token controls to prevent recurrence. Failure to act quickly could expose critical infrastructure.