Описание
Malicious code was inserted into the Nx (build system) package and several related plugins. The tampered package was published to the npm software registry, via a supply-chain attack. Affected versions contain code that scans the file system, collects credentials, and posts them to GitHub as a repo under user's accounts.
Отчет
No Red Hat products are affected. The malicious versions were blocked from being introduced into any internal Red Hat code repositories. The impact is rated Important due to the potential for information leakage, including sensitive account credentials. This attack relied upon AI command-line (CLI) tools which are designed to be used by software developers. For customers using Red Hat systems in production, the presence of such development tools is not expected, further limiting risk.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Multicluster Global Hub | multicluster-globalhub/multicluster-globalhub-grafana-rhel9 | Not affected | ||
| OpenShift Serverless | openshift-serverless-1/kn-backstage-plugins-eventmesh-rhel8 | Not affected | ||
| Red Hat Advanced Cluster Management for Kubernetes 2 | rhacm2/acm-grafana-rhel9 | Not affected | ||
| Red Hat Ansible Automation Platform 2 | automation-gateway | Not affected |
Показывать по
Ссылки на источники
Дополнительная информация
Статус:
9.6 Critical
CVSS3
Связанные уязвимости
Malicious code was inserted into the Nx (build system) package and several related plugins. The tampered package was published to the npm software registry, via a supply-chain attack. Affected versions contain code that scans the file system, collects credentials, and posts them to GitHub as a repo under user's accounts.
9.6 Critical
CVSS3