This is the supply chain attack that every developer has nightmares about: a malicious npm package was distributed through Red Hat Cloud Services' own trusted publishing pipeline. Not through stolen credentials. Not through typosquatting. Through the actual official release pipeline.
If you can't trust packages that are cryptographically signed by verified publisher workflows, the entire npm security model just got a lot shakier.
The package in question is @redhat-cloud-services/patch-client version 4.0.4. It went out through the project's own GitHub Action OIDC trusted publisher—the security mechanism specifically designed to prevent this kind of compromise. The malicious code runs on install, steals cloud credentials, and self-propagates by injecting fake CodeQL workflows into any repositories the stolen tokens can reach.
Let's break down why this is so serious. Trusted publishers were supposed to solve the "compromised maintainer" problem. Instead of individual developers having npm tokens that could be stolen or phished, packages would be published directly from verified CI/CD pipelines. The cryptographic chain of trust would be unbreakable.
Except someone broke it. And they did it by compromising the CI/CD pipeline itself.
The attack is sophisticated in its simplicity. Once installed, the malicious package exfiltrates AWS, Azure, and GCP credentials from the local environment. Then it uses those credentials to access any repositories the compromised account can reach and injects fake security scanning workflows that propagate the attack further.
It's a worm. A self-replicating supply chain worm that spreads through the very security infrastructure meant to protect us.
According to security researchers at SafeDep, up to 32 packages under the @redhat-cloud-services scope could potentially be affected, since they all share the same publisher workflow. Version 4.0.3 is confirmed clean; anything newer is suspect until proven otherwise.
If you have anything from @redhat-cloud-services in your dependency tree, you need to check it. Now. Pin to 4.0.3 or earlier, audit your environment for unexpected network activity, rotate your cloud credentials, and check your repositories for unexpected workflow files.
