On June 1st, attackers compromised 32 npm packages under the @redhat-cloud-services namespace, releasing 96 malicious versions with valid signatures that made them appear legitimate. It's a supply chain attack that exploits a fundamental flaw in how npm's trusted publishing system works.

The attack, documented by SafeDep, reveals a critical vulnerability: npm binds trusted publishing to a repository and workflow filename, not to a specific branch. Attackers exploited this by creating throwaway branches in three RedHatInsights repositories, rewriting CI workflows into self-publishing jobs, and injecting worm code that exchanged GitHub Actions OIDC tokens for npm publish tokens.

The malicious packages appeared legitimate because they carried valid npm provenance signatures. To developers checking dependencies, everything looked clean. But hidden inside was a four-layer attack: ROT-9 encoding, AES-128-GCM decryption, Bun runtime execution, and credential harvesting targeting AWS, Azure, GCP, GitHub, npm, and password managers.

What makes this particularly nasty: the malware executes in the `preinstall` script, meaning it runs before any other code, the moment you type `npm install`. By the time you realize something's wrong, your cloud credentials are gone.

This isn't just a Red Hat problem. It's a fundamental weakness in how npm's trusted publishing works. The attack vector—creating arbitrary branches and overwriting CI workflows—could work against any project using npm's GitHub Actions integration.

The fix isn't simple. Developers need to bind trusted publishing to specific branches, not just repositories. But that requires changes to npm's infrastructure and widespread adoption of more restrictive security policies.

The technology is impressive. The question is whether supply chain security can keep pace with increasingly sophisticated attacks.