Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
The worm, called Shai-Hulud, has all the hallmarks of malware release last month as a free resource. TeamPCP was the first team to use Shai-Hulud, and it promoted a contest that promised to pay $1,000 to the hacker who carried out the biggest malware attack. TeamPCP has also been behind a rash about the past supply chain attack. Now that the worm is in the hands of many other threat groups, supplier attacks may escalate.
The crime program is focused CI/CD (continuous integration / continuous deployment) systems, which allow the software to be released quickly and reliably by building, testing, and deploying code changes. The malware spread in Monday’s attack was published via GitHub Actions OIDC (OpenID Connect), showing that Red Hat’s CI/CD pipeline was compromised. OIDC is a security solution designed to integrate cloud services using temporary information.
Once installed, the malware scans the credentials of other CI/CD entities. The compromise of Red Hat’s GitHub Actions OIDC was probably the result of an attack that launched a working machine.
In an email sent after this was written, Red Hat said it had removed the malicious packages.
“These packages are for internal development only, and the malicious code has not been published for customers to use through the console.redhat.com system,” the email said. “While our investigation is ongoing, we have not identified any potential impact to customers or our partner locations or Red Hat production systems.”
Given the effectiveness of the latest network tools, anyone who has touched the affected package in the last 36 hours should consider compromising their workstations, CI/CD pipelines, and all information on cloud services and databases. This means that employees must stop whatever they are doing at the time and conduct a thorough investigation.
In a recent supplychain attack which hit Checkmarx, the security company failed to evict the party. Checkmarx was then hit twice. The Checkmarx credentials used in the first attack came from an attack on the Trivy software developer. The pivot to Checkmarx and its failure to properly remediate the original breach demonstrates the difficulty of fully recovering from such a security breach and the risks it poses.
All of them Socket and Aikido have a list of the affected Red Hat packages and other conflicting symptoms that the affected person or organization should use immediately.
Article has been updated to add Red Hat’s comment.
