Red Hat Cloud Services npm packages compromised in supply chain breach
Security researchers have identified compromised versions of Red Hat’s open-source npm packages, with the issue formally reported on GitHub in early June 2026.
Malicious releases have been detected across the @redhat-cloud-services/ scope on the npm registry, constituting a significant supply chain compromise affecting Red Hat’s open-source ecosystem. The breach impacts numerous packages within the Red Hat Cloud Services portfolio, with specific vulnerable versions identified in the disclosure.
The incident was formally reported via GitHub issue #492 on the RedHatInsights/javascript-clients repository on 1 June 2026. The disclosure, originally referenced by security firm StepSecurity, highlights that the compromise extends beyond a single library, affecting a broad range of development tools and client interfaces used by enterprises.
Among the affected packages are @redhat-cloud-services/chrome, @redhat-cloud-services/compliance-client, and @redhat-cloud-services/frontend-components. The list of compromised libraries is extensive, including @redhat-cloud-services/config-manager-client, @redhat-cloud-services/entitlements-client, and various frontend components such as advisor-components and notifications.
Other impacted packages include @redhat-cloud-services/host-inventory-client, @redhat-cloud-services/insights-client, and @redhat-cloud-services/rbac-client. The compromise also touches utility libraries and configuration tools, such as @redhat-cloud-services/eslint-config-redhat-cloud-services and @redhat-cloud-services/frontend-components-config-utilities, raising concerns about the integrity of dependent projects.
The disclosure notes that specific versions of these packages are vulnerable, urging users to verify the integrity of their installed dependencies against the versions listed in the GitHub issue. Supply chain integrity checks are recommended for any systems relying on the affected npm scopes to mitigate potential risks associated with the malicious releases.
Red Hat’s javascript-clients repository serves as the central point for these open-source tools, which are critical for managing cloud services and infrastructure. The breach underscores the ongoing risks within software supply chains, where a compromise in a single scope can cascade through numerous downstream applications and enterprise environments.
Security teams and developers are advised to audit their dependency trees immediately. The identification of these malicious releases provides a clear timeline for the incident, allowing organisations to isolate affected systems and update to secure versions where available.
