criticalSupply chain·

AGS-2026-0003

redhat-cloud-services npm package supply chain attack

Each compromised package adds a malicious preinstall hook, embedding an index.js script in the package.json that silently executes “node index.js” during installation, downloads Bun, and runs a payload that steals secrets from npm, GitHub, Amazon Web Services (AWS), and Secure Shell (SSH). The added code bloats index.js from ~8KB to ~4.3MB, acting as a heavily obfuscated ROT-9 eval loader. If any of the compromised packages are installed, users and organizations should assume compromise, rotate credentials, revert to a previously trusted version, and block compromised packages.

Affected Packages: @redhat-cloud-services/types 3.6.1, 3.6.2, 3.6.4 @redhat-cloud-services/frontend-components-utilities 7.4.1, 7.4.2, 7.4.4 @redhat-cloud-services/frontend-components 7.7.2, 7.7.3, 7.7.5 @redhat-cloud-services/rbac-client 9.0.3, 9.0.4, 9.0.6 @redhat-cloud-services/javascript-clients-shared 2.0.8, 2.0.9, 2.0.11 @redhat-cloud-services/frontend-components-config-utilities 4.11.2, 4.11.3, 4.11.5 @redhat-cloud-services/frontend-components-notifications 6.9.2, 6.9.3, 6.9.5 @redhat-cloud-services/tsc-transform-imports 1.2.2, 1.2.4, 1.2.6 @redhat-cloud-services/frontend-components-config 6.11.3, 6.11.4, 6.11.6 @redhat-cloud-services/eslint-config-redhat-cloud-services 3.2.1, 3.2.2, 3.2.4 @redhat-cloud-services/host-inventory-client 5.0.3, 5.0.4, 5.0.6 @redhat-cloud-services/rule-components 4.7.2, 4.7.3, 4.7.5 @redhat-cloud-services/frontend-components-remediations 4.9.2, 4.9.3, 4.9.5 @redhat-cloud-services/frontend-components-translations 4.4.1, 4.4.2, 4.4.4 @redhat-cloud-services/vulnerabilities-client 2.1.9, 2.1.11 @redhat-cloud-services/frontend-components-advisor-components 3.8.2, 3.8.4, 3.8.6 @redhat-cloud-services/entitlements-client 4.0.11, 4.0.12, 4.0.14 @redhat-cloud-services/chrome 2.3.1, 2.3.2, 2.3.4 @redhat-cloud-services/notifications-client 6.1.4, 6.1.5, 6.1.7 @redhat-cloud-services/compliance-client 4.0.3, 4.0.4, 4.0.6 @redhat-cloud-services/sources-client 3.0.10, 3.0.11, 3.0.13 @redhat-cloud-services/integrations-client 6.0.4, 6.0.5, 6.0.7 @redhat-cloud-services/frontend-components-testing 1.2.1, 1.2.2, 1.2.4 @redhat-cloud-services/remediations-client 4.0.4, 4.0.5, 4.0.7 @redhat-cloud-services/insights-client 4.0.4, 4.0.5, 4.0.7 @redhat-cloud-services/topological-inventory-client 3.0.10, 3.0.11, 3.0.13 @redhat-cloud-services/config-manager-client 5.0.4, 5.0.5, 5.0.7 @redhat-cloud-services/hcc-pf-mcp 0.6.1, 0.6.2, 0.6.4 @redhat-cloud-services/quickstarts-client 4.0.11, 4.0.12, 4.0.14 @redhat-cloud-services/patch-client 4.0.4, 4.0.5, 4.0.7 @redhat-cloud-services/hcc-feo-mcp 0.3.1, 0.3.2, 0.3.4 @redhat-cloud-services/hcc-kessel-mcp 0.3.1, 0.3.2, 0.3.4

Affected

  • namePattern
    @redhat-cloud-services/types
    versionRange
    3.6.1 3.6.2 3.6.4
  • namePattern
    @redhat-cloud-services/frontend-components-utilities
    versionRange
    7.4.1 7.4.2 7.4.4
  • namePattern
    @redhat-cloud-services/frontend-components
    versionRange
    7.7.2 7.7.3 7.7.5
  • namePattern
    @redhat-cloud-services/rbac-client
    versionRange
    9.0.3 9.0.4 9.0.6
  • namePattern
    @redhat-cloud-services/javascript-clients-shared
    versionRange
    2.0.8 2.0.9 2.0.11
  • namePattern
    @redhat-cloud-services/frontend-components-config-utilities
    versionRange
    4.11.2 4.11.3 4.11.5
  • namePattern
    @redhat-cloud-services/frontend-components-notifications
    versionRange
    6.9.2 6.9.3 6.9.5
  • namePattern
    @redhat-cloud-services/tsc-transform-imports
    versionRange
    1.2.2 1.2.4 1.2.6
  • namePattern
    @redhat-cloud-services/frontend-components-config
    versionRange
    6.11.3 6.11.4 6.11.6
  • namePattern
    @redhat-cloud-services/eslint-config-redhat-cloud-services
    versionRange
    3.2.1 3.2.2 3.2.4
  • namePattern
    @redhat-cloud-services/host-inventory-client
    versionRange
    5.0.3 5.0.4 5.0.6
  • namePattern
    @redhat-cloud-services/rule-components
    versionRange
    4.7.2 4.7.3 4.7.5
  • namePattern
    @redhat-cloud-services/frontend-components-remediations
    versionRange
    4.9.2 4.9.3 4.9.5
  • namePattern
    @redhat-cloud-services/frontend-components-translations
    versionRange
    4.4.1 4.4.2 4.4.4
  • namePattern
    @redhat-cloud-services/vulnerabilities-client
    versionRange
    2.1.9 2.1.11
  • namePattern
    @redhat-cloud-services/frontend-components-advisor-components
    versionRange
    3.8.2 3.8.4 3.8.6
  • namePattern
    @redhat-cloud-services/entitlements-client
    versionRange
    4.0.11 4.0.12 4.0.14
  • namePattern
    @redhat-cloud-services/chrome
    versionRange
    2.3.1 2.3.2 2.3.4
  • namePattern
    @redhat-cloud-services/notifications-client
    versionRange
    6.1.4 6.1.5 6.1.7
  • namePattern
    @redhat-cloud-services/compliance-client
    versionRange
    4.0.3 4.0.4 4.0.6
  • namePattern
    @redhat-cloud-services/sources-client
    versionRange
    3.0.10 3.0.11 3.0.13
  • namePattern
    @redhat-cloud-services/integrations-client
    versionRange
    6.0.4 6.0.5 6.0.7
  • namePattern
    @redhat-cloud-services/frontend-components-testing
    versionRange
    1.2.1 1.2.2 1.2.4
  • namePattern
    @redhat-cloud-services/remediations-client
    versionRange
    4.0.4 4.0.5 4.0.7
  • namePattern
    @redhat-cloud-services/insights-client
    versionRange
    4.0.4 4.0.5 4.0.7
  • namePattern
    @redhat-cloud-services/topological-inventory-client
    versionRange
    3.0.10 3.0.11 3.0.13
  • namePattern
    @redhat-cloud-services/config-manager-client
    versionRange
    5.0.4 5.0.5 5.0.7
  • namePattern
    @redhat-cloud-services/hcc-pf-mcp
    versionRange
    0.6.1 0.6.2 0.6.4
  • namePattern
    @redhat-cloud-services/quickstarts-client
    versionRange
    4.0.11 4.0.12 4.0.14
  • namePattern
    @redhat-cloud-services/patch-client
    versionRange
    4.0.4 4.0.5 4.0.7
  • namePattern
    @redhat-cloud-services/hcc-feo-mcp
    versionRange
    0.3.1 0.3.2 0.3.4
  • namePattern
    @redhat-cloud-services/hcc-kessel-mcp
    versionRange
    0.3.1 0.3.2 0.3.4

Self-check

AgentGuard subscribers receive this advisory automatically and their local guard runs the inspection below.

Inspect paths

  • ~/.nvm/**/node_modules/
  • ~/.npm/_global/
  • ~/.openclaw/**/node_modules/
  • ~/.npm/_npx/
  • ./Library/Caches/
  • /tmp/
  • C:\ProgramData\
  • C:\Users\*\AppData\Local\Temp\
  • C:\Users\*\\AppData\Roaming\npm\node_modules\
  • *%LOCALAPPDATA%\npm-cache\_npx\

Remediation: uninstall1. Dependency Audit & Dependency Tree Inspection # Check if the affected scoped packages exist in the project dependency tree npm ls --all | grep "@redhat-cloud-services" # Check globally installed packages npm ls -g --depth=0 | grep "@redhat-cloud-services" 2. Global Lockfile Scanning # For npm (package-lock.json) grep -E "@redhat-cloud-services" package-lock.json -A 3 # For yarn (yarn.lock) grep -E "@redhat-cloud-services" yarn.lock -A 3 # For pnpm (pnpm-lock.yaml) grep -E "@redhat-cloud-services" pnpm-lock.yaml -A 3 3. Check VS Code Workspace Hidden Tasks # Scan for malicious lifecycle persistence triggered automatically upon opening folders grep -rn '"runOn": "folderOpen"' .vscode/ 4. Check Claude Code Configuration File # Check if the Claude Code AI tool config has been modified to inject malicious hooks cat ~/.claude/settings.json 2>/dev/null | grep -A 5 '"hooks"' 5. Indicators of Compromise (IoC) Inspection # Linux / macOS: Check for specific mutex lockfiles or transient temporary scripts ls -la /tmp/tmp.0987654321.lock ls -la /tmp/ | grep -E "^p.*\.js$" ls -la /tmp/ | grep "b-" # Windows: Check the temporary directory ls $env:TEMP | Select-String "tmp.0987654321.l 6. Background Daemon & Running Process Check # Inspect running environment variables for the daemon flag ps auxE | grep "__IS_DAEMON" # Monitor for unexpected background bun runtime setups executed during npm installs ps aux | grep -E "node|bun" Immediate Remediation Step (If Compromised) If any of the indicators above return positive, emphasize to your team that simply deleting node_modules or running npm uninstall is useless because the daemon process is already resident in memory and keys have likely been exfiltrated via HTTPS POST. Your playbook should mandate an immediate Credential Rotation Rule: Revoke all GITHUB_TOKEN, AWS/GCP cloud configurations (~/.aws/credentials), .npmrc registry keys, and SSH keys accessed by that specific host.