Researchers from security firm Aikido reported that official Red Hat NPM accounts have been compromised, leading to the distribution of a malicious worm. This worm spreads between machines and targets sensitive credentials to access confidential data. The attack began on June 1, 2026, and was still active at the time of the report. The threat actor gained control of the @redhat-cloud-services channel in the npm repository, which is typically trusted by developers using Red Hat cloud services. The method of gaining access to this channel is not fully understood but likely involved credential compromise, potentially from a prior attack. Over 30 packages are believed to be affected.
Why this rating? · 7 signals
Signals flagged in the original
- loaded language: 'compromised'
- loaded language: 'malicious worm'
- loaded language: 'pilfers'
- loaded language: 'vicious cycle'
- framing: headline asserting a conclusion
- editorializing: vicious cycle of today’s supply-chain attacks
- vague attribution: researchers said, according to researchers
Analyzed by our bias model Full breakdown ↓
Red Hat NPM Accounts Compromised in Supply-Chain Attack
A supply-chain attack on Red Hat's NPM accounts has led to the distribution of a malicious worm that steals sensitive credentials. The attack, reported by Aikido researchers, began on June 1, 2026, and is linked to the compromise of the @redhat-cloud-services channel.
No note attached
on this article.
Bias Analysis
Bias Indicators Removed
- ✕ loaded language: 'compromised'
- ✕ loaded language: 'malicious worm'
- ✕ loaded language: 'pilfers'
- ✕ loaded language: 'vicious cycle'
- ✕ framing: headline asserting a conclusion
- ✕ editorializing: vicious cycle of today’s supply-chain attacks
- ✕ vague attribution: researchers said, according to researchers
Original vs. Neutral
Dozens of Red Hat packages backdoored through its official NPM channel
Red Hat NPM Accounts Compromised in Supply-Chain Attack