Red Hat Cloud Services NPM Packages Targeted in Shai Hulud Supply Chain Attack

On June 2, 2026, Socket Dev released a detailed threat report titled Shai Hulud Supply‑Chain Campaign Targets Red Hat Cloud Services npm Packages. The publication exposes a coordinated malware operation that leveraged compromised @redhat-cloud-services packages to infiltrate developer environments and continuous integration workflows. This article distills the findings, technical underpinnings, operational impact, and actionable defenses into a format suitable for security analysts and DevOps teams.

Threat Overview

The attackers executed what Socket describes as a “mini Shai‑Hulud” campaign—an assault that mirrors the tactics of the larger Shai‑Hulud framework but with a narrower focus on Red Hat Cloud Services npm modules. The malicious payload is delivered via preinstall hooks in package.json, ensuring execution before any application code runs. Once installed, the malware proceeds to decrypt and execute an obfuscated JavaScript layer that harvests credentials from the host environment, exfiltrates data over encrypted channels, and attempts secondary propagation through GitHub repositories.

Technical Analysis

Obfuscation & Staging
The offending packages embed a multi‑stage loader in index.js. The file starts with an array of character codes that is decoded through a Caesar/ROT transformation and eval’ed to produce an asynchronous wrapper. This wrapper decrypts two AES‑128‑GCM blobs: a helper script for the Bun runtime, and the main malicious payload.

During execution, the wrapper writes the decrypted code to a random temporary file – /tmp/p.js – and runs it using bun run. If Bun is not present, a silent download from the official GitHub releases page (hxxps://github[.]com/oven‑sh/bun/releases/download/bun‑v1.3.13/…/bun‑{os}{arch}.zip) is performed via curl, unzipped, and executed. After completion, the temporary file is deleted.

Credential Harvesting
The payload enumerates a wide range of secrets: GitHub CLI tokens (gh auth token), npm tokens, cloud provider credentials (AWS, Azure, GCP), Kubernetes configs, Docker registry authentication, SSH private keys, and even cryptocurrency wallet files. It collects environment variables, hostnames, usernames, and scans the file system for patterns such as gh[op]_[A-Za-z0-9]{36} or npm_[A-Za-z0-9]{36,}.

Exfiltration
Collected data is compressed with gzip, encrypted first with AES‑256‑GCM and then wrapped in RSA‑PKCS1_OAEP (SHA‑256). The final payload is transmitted to the hardcoded endpoint hxxps://api[.]anthropic[.]com:443/v1/api. When a valid GitHub token is available, the malware falls back to committing encrypted JSON files named results‑.json into repositories via the GitHub REST API.

Operational Impact

The attack’s reach is extensive: 95 distinct package versions across multiple namespaces were affected, including @redhat-cloud-services/chrome, @redhat-cloud-services/vulnerabilities-client, and many UI component libraries. Because the malicious code runs during npm install, any build pipeline that pulls these packages—whether locally, on a CI runner, or in a container image—is at risk of credential theft and downstream propagation.

Recommendations & Mitigation Steps

  • Audit Dependencies: Search project lockfiles (package‑lock.json, yarn.lock, pnpm‑lock.yaml) for the affected package names and versions. Verify that no installation occurred after the publication date.
  • Isolate Affected Hosts: If a developer workstation installed a compromised package, isolate the machine immediately, preserve logs, and avoid running any further npm commands until remediation.
  • Remove Malicious Releases: Delete the vulnerable packages from all repositories and replace them with known‑clean versions. Clear local and CI caches to eliminate cached tarballs.
  • Rotate Credentials: Assume that tokens and secrets may have been exfiltrated. Rotate GitHub, npm, cloud provider, Docker, SSH, and any personal access tokens across all affected environments.
  • Strengthen CI/CD Controls: Disable default preinstall scripts in npm by using the --ignore-scripts flag. Allowlist only trusted packages’ install scripts. Segregate build, test, and publishing stages to prevent accidental exposure of secrets.
  • Implement Network egress monitoring: Detect outbound traffic to suspicious endpoints such as hxxps://api[.]anthropic[.]com, GitHub Contents API writes, or runtime downloads from unknown URLs. Block unexpected requests from build agents.

Indicators of Compromise

File & Process Artifacts: /tmp/p.js, /tmp/b-*/b.zip, /tmp/b-*/bun[.]exe, tmp.0987654321.lock, process trees containing node index.js, bun run, or gh auth token.

Network Activity: Connections to hxxps://api[.]anthropic[.]com:443/v1/api, GitHub API calls, and downloads from the official Bun release page.

GitHub Repositories: Newly created files named results‑.json or commit messages containing “IfYouInvalidateThisTokenItWillNukeTheComputerOfTheOwner”.

Conclusion

The Shai Hulud supply‑chain attack demonstrates how a seemingly innocuous npm package can become a vector for widespread credential theft and lateral movement. By combining install‑time execution, advanced obfuscation, encrypted exfiltration, and GitHub fallback channels, the attackers maximized impact while evading static analysis. Security teams must adopt a defense‑in‑depth strategy that includes rigorous dependency validation, runtime monitoring of lifecycle scripts, strict credential hardening, and proactive incident response to neutralize such threats before they compromise production systems.

Leave a Reply

Looking for the Best Cyber Security?

Seamlessly integrate local and cloud resources with our comprehensive cybersecurity services. Protect user traffic at endpoints using advanced security solutions like threat hunting and endpoint protection. Build a scalable network infrastructure with continuous monitoring, incident response, and compliance assessments.

Contact Us

Copyright © 2025 ESSGroup

Discover more from ESSGroup

Subscribe now to keep reading and get access to the full archive.

Continue reading