BlockBeats News, June 2, SlowMist released a security alert, detecting an ongoing npm supply chain attack targeting the @redhat-cloud-services related packages. Currently, 31+ affected packages have been confirmed, with a weekly download volume of approximately 11.6k times, and over 300 GitHub repositories have compromised credentials. The attack method is highly similar to the previous "Shai-Hulud" npm attack, involving credential theft, creation of malicious repositories, and automated secret leakage. New suspicious repositories continue to emerge, indicating that the attack is still active, and developers are still being continuously infected.

Potential threats include: GitHub/npm token theft, AWS/GCP/Azure cloud credential exposure, SSH key and Kubernetes secret collection, leakage of local environment and wallet data, creation of malicious repositories, and persistent operations, and even potentially destructive behaviors after token revocation. It is recommended to immediately remove or downgrade the affected @redhat-cloud-services package versions, thoroughly audit CI/CD workflows and dependency installations, rotate all GitHub, npm, cloud service, SSH, and wallet-related keys, retain logs, rebuild exposed developer machines or Runners from clean images, and remain highly vigilant.