RHSB-2026-006 Supply chain compromise of @redhat-cloud-services npm packages

Executive Summary

On June 1, 2026, a supply chain compromise was publicly disclosed affecting multiple packages published under the @redhat-cloud-services npm namespace. Initial investigation indicates that a compromised GitHub account was used to inject malicious code into packages maintained in a Red Hat GitHub organization.

The affected packages are frontend JavaScript libraries used in the Hybrid Cloud Console (console.redhat.com) web interface. No release of the Hybrid Cloud Console was published during the compromise window, and Red Hat's publication process includes protections that strip installation-time scripts from packages before deployment to console.redhat.com.

These packages are not related to Red Hat managed cloud services such as Azure Red Hat OpenShift (ARO), OpenShift Dedicated (OSD), or Red Hat OpenShift Service on AWS (ROSA), Red Hat Advanced Cluster Security Cloud Service (ACS Cloud Service), or Red Hat Ansible Automation Platform on Cloud (AAP Managed).

Technical Summary

Preliminary analysis indicates that a compromised GitHub account was used to push unauthorized commits to repositories in the RedHatInsights GitHub organization. Red Hat engineering removed compromised versions from npm following disclosure. Red Hat is continuing to conduct build system and dependency tracking analysis to confirm no product builds contained compromised package versions. Based on current findings, no actions from customers are required.

The investigation is ongoing and this bulletin will be updated as new information emerges. Click the "FOLLOW" button below to be notified of updates.