A mini Shai-Hulud campaign compromised Red Hat Cloud Services npm packages to steal developer and CI/CD secrets during installation.

Published:

1 juni 2026 om 13:12:08

Alert date:

1 juni 2026 om 15:01:43

Source:

socket.dev

Supply Chain & Dependencies, Ransomware & Malware, Data Breach & Exfiltration

Socket detected a mini Shai-Hulud supply chain attack campaign that compromised Red Hat Cloud Services npm packages. The malware executes automatically during npm install through preinstall hooks, using multiple layers of obfuscation and AES-GCM encryption. It targets GitHub Actions secrets, npm tokens, cloud credentials, SSH keys, and other sensitive data. The payload includes encrypted exfiltration to api.anthropic.com and GitHub API fallback mechanisms. The campaign shows similarities to TeamPCP's open-source Shai-Hulud tooling, enabling potential supply chain propagation through stolen credentials.

Technical details

Malicious npm supply chain campaign involving compromised @redhat-cloud-services packages using install-time execution through preinstall hooks. Payload uses multiple obfuscation layers including char-code arrays, Caesar/ROT transforms, AES-128-GCM encrypted embedded payloads, and runtime decryption. Executes automatically during npm install via 'node index.js' preinstall script. Downloads and uses Bun runtime for payload execution, writes decrypted payload to randomized /tmp/p*.js files. Includes anti-analysis checks for Russian locale, CI/CD detection, and daemonization on non-CI systems. Harvests credentials including GitHub Actions secrets, npm tokens, cloud credentials, SSH keys, and cryptocurrency wallet files. Exfiltrates data via encrypted HTTPS POST to api.anthropic.com and fallback GitHub API commits.

Mitigation steps:

Treat any system that installed affected @redhat-cloud-services package versions as potentially compromised
Search repositories, lockfiles, CI logs, and build artifacts for affected package names and versions
Review package-lock.json, npm-shrinkwrap.json, yarn.lock, pnpm-lock.yaml files
Isolate affected developer workstations and preserve logs before remediation
Suspend affected workflow runs and invalidate build artifacts from exposure window
Remove malicious package versions and replace with known-clean versions
Clear local and CI package caches where affected tarballs may persist
Rebuild from clean environments rather than reusing existing runners
Rotate GitHub tokens, npm tokens, cloud provider credentials, Kubernetes tokens, SSH keys
Audit GitHub organization activity for suspicious repositories, branches, workflow files
Review npm publisher activity for unexpected package versions or metadata changes
Search for temporary payload artifacts like /tmp/p*.js files and Bun extraction directories
Restrict GitHub Actions token permissions to least privilege
Use dependency allowlisting and package verification
Add network egress controls for CI/CD runners
Monitor for unexpected outbound traffic during dependency installation

Affected products:

@redhat-cloud-services/chrome version 2.3.1
@redhat-cloud-services packages (Red Hat Cloud Services namespace)

Related CVE's:

Related threat actors:

TeamPCP

IOC's:

api.anthropic.com, https://api.anthropic.com:443/v1/api, /tmp/p*.js, tmp.0987654321.lock, f4abccab2, thebeautifulmarchoftime, IfYouInvalidateThisTokenItWillNukeTheComputerOfTheOwner, Miasma: The Spreading Blight, results-<timestamp>-<counter>.json, python-requests/2.31.0, gh auth token, preinstall:node index.js, SHA-256: 88896d478986d453f5da79b311de39d9b4b1bea95c21af1d8ef181b0f4e52fe9, SHA-256: 21b6409a7b84446310daca5409ad6112ac60a1e4bef97736e53fff5f63bfdef4, SHA-256: ee262510cb246d2b904991aee7fc61162bdae34463439ec6383bd5356479d362, SHA-256: ac2a2208e1726e008be6c73dc0872d9bba163319259dff1b62055ac933ca46b6, SHA-256: 0dc06ecdaa63fe24859cfd955053c23245c536e4733480239d14bebf12688e35, gh[op]_[A-Za-z0-9]{36,}, npm_[A-Za-z0-9]{36,}, ghs_\d+_[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+, __IS_DAEMON, SKIP_DOMAIN

This article was created with the assistance of AI technology by Perceptive.