◐𝕏XGitHubLinkedInRSSGuestbookArchives
← Back
June 1, 2026

Red Hat NPM Packages Compromised: A Supply Chain Wake-Up Call

Red Hat's JavaScript client packages on NPM were compromised, reigniting debates about package manager security and the need for dependency cooldowns.

Red Hat's NPM packages under @redhat-cloud-services were compromised, part of a growing pattern of supply chain attacks. The incident, reported in a GitHub issue, triggered heated discussion on Hacker News, with over 500 upvotes and 250 comments. Many pointed to a lack of systemic prevention in the NPM ecosystem.

What Happened: The Red Hat NPM Compromise

Attackers gained access to maintainer credentials or CI/CD pipelines and published malicious versions of several packages. The exact payload is still under analysis, but the pattern is classic: trusted packages updated with code that can exfiltrate secrets, install backdoors, or alter production behavior. These packages are used by Red Hat customers and cloud service consumers, giving the attack wide potential impact.

Red Hat took down the compromised versions and launched an investigation. But the damage—both real and reputational—is done. This incident proves that even major open-source projects with corporate backing are vulnerable.

Why the Hacker News Community Reacted

The HN thread revealed a mix of frustration and resignation. One commenter sarcastically referenced a famous headline: “'No Way to Prevent This,' Says Only package manager Where This Regularly Happens.” NPM, despite being the largest package ecosystem, has repeatedly failed to prevent account takeovers and malicious publications.

Another commenter highlighted a practical mitigation: dependency cooldowns. The idea is to block packages younger than a certain age, giving the community time to detect and report malicious versions before they spread.

Dependency cooldowns would have saved you from the axios, tanstack, and @redhat-cloud-services attacks.

This sentiment echoes across many comments. The community wants proactive defaults, not reactive fixes. Some mentioned using Yarn 4's built-in cooldown feature, which prevents installing packages published within a configurable number of days.

Lessons Learned: Dependency Cooldowns and More

The Red Hat compromise is not an outlier—it's a symptom. The JavaScript ecosystem has a fundamental trust problem: every npm install downloads and executes code from anonymous maintainers with zero friction. This attack happened to a company with strong security practices, proving that individual vigilance isn't enough.

Dependency cooldowns are a great start, but they aren't a silver bullet. Attackers can wait days to publish malicious versions or compromise long-standing maintainers. A robust approach requires multiple layers:

  • Audit all dependencies – Use tools like npm audit and Socket.dev to scan for suspicious behavior.
  • Pin exact versions – Lock files help only if you don't blindly update.
  • Separate build and publish – Never run npm install in the same environment that publishes packages. Use isolated, ephemeral CI jobs.
  • Review changes – Diff critical dependency updates with npm diff.

Ecosystem-wide enforcement is the real lever. NPM could mandate cooldowns for new package versions or require maintainers to use hardware keys. Until then, we're playing whack-a-mole.

Practical Steps to Protect Your Builds

If you use NPM, apply these steps today to reduce your risk:

1. Implement Dependency Cooldowns

Use a registry proxy (Artifactory, Verdaccio) or a package manager with built-in cooldowns. With Yarn 4, add this to .yarnrc.yml:

npmPublishRegistry: 'https://registry.yarnpkg.com'
packageExtensions:
  '**':
    peerDependencies:
      '**': '*'

Then enforce cooldowns via a policy script that checks package publish dates. For example, block all packages younger than 2 days.

2. Use a Sandbox for Installs

Run npm install in a container or isolated CI job with no secrets. In GitHub Actions, split your workflow:

jobs:
  install:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - run: npm ci
  test:
    needs: install
    runs-on: ubuntu-latest
    steps:
      - run: npm test
  publish:
    needs: test
    runs-on: ubuntu-latest
    steps:
      - run: npm publish
    environment: production

This ensures malicious code executed during install cannot access publish tokens.

3. Enable Security Alerts

GitHub Dependabot and npm audit provide automated alerts. Enable them and treat them seriously.

4. Consider Forking Critical Dependencies

One commenter advocated forking every dependency. While extreme, forking your 10 most critical packages and reviewing updates manually can be worth the overhead for high-security projects.

Final Verdict

Should you care? Absolutely, if you maintain or develop applications with NPM dependencies. The Red Hat attack shows no organization is too big to be compromised. Ignoring supply chain security puts you one npm install away from a breach. For hobbyists building throwaway projects, the risk may be acceptable. For anything professional, implement at least the cooldown and sandboxing steps above. The cost is low, and the protection is real.

Links:

  • HN discussion
  • Original GitHub issue
  • Cooldown explanation by Matteo Collina
  • Wikipedia article
  • Socket.dev security scanner
  • Safely using npm in CI
Share on Twitter
← Back to all posts