Red Hat npm Packages Compromised in Supply Chain Attack

The attack targeted a wide range of sensitive credentials typically found in developer and CI/CD environments. Aikido’s analysis shows the malware attempted to collect GitHub Actions tokens, AWS, Google Cloud, and Azure credentials, HashiCorp Vault tokens, Kubernetes service account tokens and kubeconfig files, npm and PyPI publishing tokens, SSH private keys, Docker registry credentials, GPG keys, and .env files.

This doesn’t solve the problem of people storing credentials where credential-stealers can steal them, but it’s not a bad idea to periodically invalidate your credentials and generate new ones, even if you don’t know that they’ve been compromised, just on the off change that someone has grabbed yours and has them stored up, ready to use them at some point in the future.

That’s especially true if you develop or package software (and thus users of your software trust you to keep their systems secure) or have administrator access to any networks or multiuser systems (and thus your users trust you to keep their data secure).

I’d personally rather like to see external hardware keystores used where possible. YubiKey-type things aren’t perfect — they don’t have a display, so you can’t use trusted hardware to visually validate whatever you’re signing — but at least they’re relatively cheap and keep someone who compromises a computer from grabbing credentials.