Tech·r/programmingEditorial Pending

@redhat-cloud-services publish pipeline is compromised today and shipped a signed, trusted, malicious npm package

patch-client@4.0.4 went out through the project's own github action OIDC trusted publisher today and not any stolen token or a typosquat anything, we saw that the actual release pipeline produced it. this runs on npm install, steals cloud creds and self propagates by injecting fake CodeQL workfl

Monday, 1 June 2026

Read Original Source ›Entity Ledger ›

Discussion

Connect your wallet to join the discussion.

No comments yet. Be the first to share your take.