Breaking
Trump pushing for edits to US-Iran deal on Hormuz and enriched uranium, US media reportTrump pushing for edits to US-Iran deal on Hormuz and enriched uranium, US media report
Vesper
ENESFRTR
Charts
Articles:SportsHealthHistoryTech
Markets
EUR/USD1.1634 0.11%GBP/USD1.3454 0.08%USD/JPY159.60 0.07%USD/CHF0.7860 0.29%AUD/USD0.7165 0.13%USD/CAD1.3833 0.02%USD/CNY6.7809 0.23%USD/INR95.10 0.11%USD/BRL5.0290 0.09%USD/ZAR16.30 0.26%USD/TRY45.94 0.11%Gold$4,489.10BTC$67,785 4.60%ETH$1,907 4.30%SOL$75.71 6.18%
Tech

Dozens of Red Hat packages backdoored through its official NPM channel

Ars Technica14 h ago
ShareWhatsAppTelegramLinkedIn
Close-up view of a server rack inside a data center
Photo: panumas nikhomkhai / Pexels

Dozens of software packages distributed through Red Hat's official NPM channel were found to contain backdoor code, the company disclosed on Monday. According to Ars Technica's report, the incident was identified a week earlier by the JFrog Security Research team and reported to Red Hat.

The affected packages relate to Red Hat's 'Quay' container registry platform. JFrog researcher Andrey Polkovnychenko told Ars Technica that 'the infection of the packages took place at a stage within the CI/CD pipeline that builds the packages; the attacker managed to penetrate inside the official release process'.

The purpose of the backdoor code, according to Polkovnychenko, was 'to provide root access on the servers installing the packages and to maintain a callback connection to the attacker'. The affected packages were said to have been published between 11 May and 27 May 2026.

Red Hat's vice-president of information security Brian Levin, in the company's Monday official statement, said: 'We immediately closed the attacker entry point, removed the affected packages from all distribution channels, and submitted a formal notice to the Certificate Transparency Log.'

Ars Technica security correspondent Dan Goodin, in his commentary, said 'supply-chain incidents involving Red Hat shake the trust foundations of enterprise customers; the impact could be especially large in the government and financial services sectors'. Goodin noted that the number of downloads of affected packages exceeded 200,000.

The US Cybersecurity and Infrastructure Security Agency (CISA) issued a Monday advisory recommending 'an immediate security review on servers where affected packages were installed, with detailed examination of root-access logs for the period after 11 May'. CISA reminded national critical infrastructure operators of 'additional reporting obligations'.

IBM Security Solutions director Pierre Allard, in his assessment to Ars Technica after the incident, said 'the verifiability gap in the enterprise software supply chain is large; as the number of vendors grows, examinability drops'. Allard said that customer requests for software bill-of-materials (SBOM) had risen 40 percent after the incident.

GitHub security director Mike Hanley said in the response process that GitHub had 'launched coordination to develop comprehensive signature-verification services for Red Hat's CI/CD infrastructure'. Hanley said the software-signing ecosystem 'will undergo structural strengthening following the incident'.

EU Cybersecurity Agency (ENISA) management board member Helena Brisman, in her statement on the incident, said that 'under the EU's new Cyber Resilience Act, supply-chain incidents of this kind are classified as mandatory notification; Red Hat's incident notification remained within the 72-hour requirement'.

Goodin's piece reminded readers that the Red Hat incident was the third major open-source ecosystem event of this year. Solana Labs was compromised in March 2026, and the Kubernetes extension package under the Linux Foundation umbrella in April. This article is not personal security advice; act on affected systems in line with your organisation's security policies.

This article is an AI-curated summary based on Ars Technica. The illustration is a stock photo by panumas nikhomkhai from Pexels.