Windows News
Attackers swiped a GitHub Actions OIDC token from Red Hat’s CI/CD pipeline and used it to publish 32 trojanized npm packages under the @redhat-cloud-services scope, Microsoft Threat Intelligence revealed on June 2, 2026. The packages, downloaded more than 1,200 times in five days, contained credential stealers and reverse shells that siphoned environment variables, SSH keys, and cloud access tokens from developer machines—including those running Windows Subsystem for Linux and native Node.js environments on Windows.
How the Pipeline Was Hijacked
The RedHatInsights/javascript-clients repository automates the release of TypeScript client libraries for Red Hat’s cloud APIs. Its GitHub Actions workflow uses OpenID Connect (OIDC) to authenticate directly to the npm registry, eliminating long-lived tokens. The attacker injected a step into the publish.yml workflow that exfiltrated the short-lived OIDC token after the build completed but before the clean-up job ran.
Microsoft’s investigation found that the modified workflow logged the token to a public Pastebin endpoint on June 1. The token remained valid for 10 minutes—long enough for the attacker to authenticate to npm and push 32 packs. OIDC tokens are minted by GitHub and include the repository name and run ID as claims; the malicious publish came from the legitimate repository, so npm accepted it without question.
The Malicious Payload
The infected packages impersonated genuine Red Hat libraries such as @redhat-cloud-services/frontend-components-config, @redhat-cloud-services/insights-common-javascript, and @redhat-cloud-services/actions-client. Each package executed an obfuscated JavaScript payload in its postinstall script that:
- Scanned
~/.npmrc,~/.gitconfig, and%USERPROFILE%\\.ssh\\id_rsaon Windows. - Collected environment variables
NPM_TOKEN,GITHUB_TOKEN,AWS_ACCESS_KEY_ID, andAZURE_STORAGE_KEY. - Opened a WebSocket connection to a command-and-control server at
45.33.32.156:8443, registered as a DigitalOcean droplet in Frankfurt. - Waited for commands to download and execute further binaries, including a Go-based info-stealer compiled for Linux, macOS, and Windows PE.
On Windows, the malware persisted via a scheduled task named "NodeUpdateCheck" that ran every 30 minutes. It also attempted to disable Windows Defender by adding the process to the exclusion list if running with administrative privileges.
Detection and Takedown
Microsoft’s Threat Intelligence Center (MSTIC) flagged the anomalous publishing pattern on June 2 when its npm monitoring feed saw 32 packages appearing from the same workflow run in under three minutes. Normally, Red Hat publishes three to five packages per workflow execution.
Red Hat Security took down all the tainted packages within 90 minutes of notification and revoked the compromised OIDC token. The npm security team forced-published empty versions with the tag deprecated to break any ^version ranges pulling in the malware. Both GitHub and Red Hat released postmortems advising users to audit their package-lock.json files for the following compromised versions:
| Package Name | Malicious Version |
|---|---|
| @redhat-cloud-services/frontend-components-config | 6.23.7 |
| @redhat-cloud-services/insights-common-javascript | 2.4.9 |
| @redhat-cloud-services/actions-client | 1.1.3 |
| @redhat-cloud-services/compliance-client | 2.0.11 |
| @redhat-cloud-services/config-manager-client | 3.1.5 |
| … (27 more) | various |
Supply-Chain Echoes of 2024’s XZ Backdoor
This attack mirrors the sophistication of the 2024 XZ Utils compromise, but plays out entirely in the JavaScript ecosystem. It exploits the same trust model: developers implicitly accept that a package published under a vendor’s scope is benign because the CI/CD pipeline is considered secure.
OIDC token theft has become a recurring theme. In late 2025, Python’s PyPI saw a similar incident where a leaked GitHub token allowed trojanized uploads of the requests library. The Red Hat case is worse because the token was actively exfiltrated from within the pipeline, meaning even organizations with perfect secret management—no long-lived tokens in repos—remain vulnerable if an attacker can modify the workflow file.
Windows-Specific Risks
While Node.js runs cross-platform, over 60% of developers who use Windows for JavaScript development also operate Linux toolchains through WSL 2. The malware’s credential harvesting routine specifically targeted %USERPROFILE%, which is the mount point for the Windows host’s user directory inside WSL. This means an npm install triggered inside a WSL environment could exfiltrate Windows SSH keys stored in the host file system.
The scheduled task persistence mechanism relied on schtasks.exe, demonstrating the attacker’s deliberate interest in Windows victims. Combined with the Defender exclusion attempt, the malware aimed for long-term, silent access on Windows workstations.
Hardening Your CI/CD Pipeline
The incident demands immediate review of how pipelines authenticate to package registries. Microsoft and Red Hat jointly recommend:
- Pin OIDC claims to specific branches and environments. Configure your npm access policies to accept tokens only from
ref: refs/heads/mainandenvironment: production. Red Hat had set no additional claims, allowing any branch push to publish. - Add manual approval gates for publishing steps. A 30-second review step before publishing would have flagged the 32-package spike.
- Monitor workflow files for unexpected changes. Enable branch protection that requires pull request review before merging changes to
.github/workflows/. - Audit
package-lock.jsonand CI logs for the known-malicious versions. Usenpm auditand a one-liner:grep -E "@redhat-cloud-services.*(6.23.7|2.4.9|1.1.3|2.0.11|3.1.5)" package-lock.json. - Rotate credentials exposed on affected machines. Assume SSH keys, API tokens, and cloud access keys stored in environment variables were stolen.
Industry Response
Within 24 hours, Sonatype’s Nexus Firewall, Snyk, and Socket.dev blocked the malicious versions automatically. GitHub Advanced Security added a workflow scanning rule that detects curl or wget calls piping data to external services in workflow files that touch the id-token: write permission. npm itself fast-tracked a beta feature that requires second-factor confirmation from an account owner whenever a new package is published for the first time under an organization scope.
Red Hat reset all npm and GitHub tokens associated with the RedHatInsights organization and moved its publishing workflow to a dedicated, locked-down GitHub Actions environment with mandatory reviewer approval. The company also open-sourced a GitHub Action called verify-oidc-claims that repositories can use to double-check the audience and subject claims before publishing.
What Developers Must Do Now
If you have installed any @redhat-cloud-services package since June 1, 2026, immediately:
- Run npm update to pull the latest safe versions.
- Scan your machine with Windows Defender or Microsoft Safety Scanner.
- Delete the scheduled task NodeUpdateCheck via schtasks /delete /tn NodeUpdateCheck /f.
- Check for unauthorized machine access in Windows Event Viewer (Event ID 4624) and cloud audit logs.
The attack shows that even trusted, short-lived authentication can be twisted into a weapon. As CI/CD pipelines become the universal packaging plant for modern software, protecting them from inside the workflow is now as critical as securing source code itself. Red Hat’s quick takedown limited the blast radius, but the 1,200 downloads before detection are a sobering reminder that in a supply-chain attack, minutes matter.