A sophisticated software supply chain attack has compromised official Red Hat packages on the npm registry, distributing a credential-stealing worm to developers.