A malicious npm package made it through Red Hat Cloud Services' GitHub Actions OIDC publisher this week—not through a stolen token, not via typosquatting, but through the project's actual release pipeline. The kind of pipeline that was supposed to solve supply chain security.

According to security researchers at SafeDep, the compromised package didn't just steal cloud credentials. It self-propagated by injecting fake CodeQL workflows into repositories that installed it, turning every victim into a potential attack vector. This is supply chain malware with a reproductive strategy, and it bypassed the "trusted publisher" model that the ecosystem spent years building.

Here's why this matters: OIDC-based publishing was meant to eliminate the risk of stolen credentials by using short-lived tokens issued through GitHub Actions. The model assumes that if the workflow comes from the right repository with the right permissions, the package is legitimate. But if an attacker compromises the source repository or the workflow definition itself, that entire trust model collapses.

Every development team that relies on trusted publishers needs to understand what just happened here. The attack didn't exploit a bug in the publishing system—it exploited the fact that "trusted" is only as good as the security of what you're trusting. If your CI/CD pipeline has write access to package registries and someone compromises your repository, your supply chain is compromised.

Red Hat has since revoked the malicious packages and secured the compromised pipeline, but the incident raises uncomfortable questions about how much automation we're willing to trust with our dependency trees. The technology works exactly as designed. The problem is that the design assumes the source is secure.