Dozens of @redhat-cloud-services npm packages hit in supply-chain compromise

Attackers pushed malicious versions of more than 30 npm packages published under the @redhat-cloud-services scope, the JavaScript client and frontend component libraries that Red Hat Insights and related console services depend on. Affected packages span core building blocks like the chrome shell, frontend-components, host-inventory-client, rbac-client, and insights-client, along with MCP server packages and the shared eslint config — each with two or three poisoned releases in the wild.

The blast radius is wide because these packages are pulled transitively into anything built on the Red Hat Hybrid Cloud Console stack, meaning downstream consumers may have ingested the bad versions without touching them directly. StepSecurity flagged the incident and Red Hat is tracking it on the public javascript-clients repo, with a growing list of specific compromised version numbers that teams should pin against in lockfiles, mirrors, and CI caches.

For anyone shipping on this ecosystem, the immediate work is auditing installs for the listed versions, purging them from local and proxy caches, rotating any credentials that may have been exposed to build environments, and pinning to known-good releases until Red Hat completes its investigation.