A malicious Traefik Helm chart (v39.0.7) was planted in the deprecated Helm stable repository at storage.googleapis.com/kubernetes-charts, which was officially archived in November 2020. The compromised chart injects an extra file (templates/helm-config.yaml) containing a base64-encoded shell script that harvests AWS, Azure, and GCP cloud credentials plus Kubernetes service account tokens via a pre-install Helm hook Job, then exfiltrates them via HTTP POST to rspds.de (51.15.242.87), a Scaleway VPS in Paris. The attacker set up the C2 domain on April 9, 2026 and the attack went live April 13. The malicious Job self-deletes after execution, leaving minimal forensic trace. Any organization still referencing the deprecated repo URL in Helm configs, CI/CD pipelines, GitOps configs, or IaC templates is at risk. Immediate actions include running `helm repo list` to check for the deprecated URL, rotating all cloud credentials for affected clusters, auditing Kubernetes Jobs for `helm-config` names, and verifying chart SHA256 against the official source at traefik.github.io/charts.
Table of contents
Executive SummaryKey FactsAttack TimelineHow the Attack WorksAre Other Helm Charts on This Bucket Compromised?Exfiltration Infrastructure AnalysisChart Integrity VerificationIndicators of CompromiseDetectionRemediationBroader ContextA Note on Analysis MethodologyReporting This to Google CloudAcknowledgementSort: