Malicious npm packages detected across Red Hat Cloud Services
Malicious versions of 31 npm packages in the @redhat-cloud-services scope were published across 95 compromised versions.
Red Hat Cloud Services npm packages were compromised with malicious releases. The affected scope includes 31 packages with multiple compromised versions each, spanning infrastructure packages like chrome, frontend-components, client libraries for compliance, entitlements, RBAC, and others. Specific compromised versions include @redhat-cloud-services/chrome (2.3.1, 2.3.2, 2.3.4), @redhat-cloud-services/frontend-components (7.7.2, 7.7.3, 7.7.5), and many others. The issue was reported via StepSecurity's blog and OSS security feed, indicating a systematic compromise across the scope rather than isolated packages.
What HN community is saying
The thread rehashes the recurring "npm is uniquely vulnerable" debate. Top comments acknowledge that while all package managers face supply chain risk, npm's default execution of lifecycle scripts on install makes it particularly dangerous compared to alternatives like pnpm. Defenders note PyPI, Cargo, and Composer have suffered similar attacks, though npm's script execution on dependency installation (not just project setup) distinguishes it. One comment recommends delaying updates by three days and running audit tools. The broader consensus reflects frustration that npm has known about these risks for years without substantial structural change.