Mini Shai-Hulud Campaign Hits Red Hat Cloud Services npm Packages
Malicious @redhat-cloud-services npm packages execute credential harvesting malware at install time.
Summary
Socket has detected a supply chain attack on Red Hat Cloud Services npm packages that use preinstall lifecycle hooks to execute obfuscated malware designed to steal credentials, GitHub tokens, cloud credentials, and CI/CD secrets. The attack mirrors the publicly released Shai-Hulud toolkit tactics, using AES-128-GCM encryption, Bun runtime staging, and both direct and GitHub-based exfiltration channels. The campaign highlights how open-source malware tooling lowers the barrier for multiple threat actors to conduct similar attacks against the JavaScript ecosystem.
Full text
Research/Security NewsFamous Chollima Targets PHP Developers Through Compromised Packagist PackageThe North Korean malware loader hides in a Packagist-listed package and its GitHub branch to fetch and execute remote code in a likely Contagious Interview-style lure.By Kirill Boychenko - May 31, 2026
Indicators of Compromise
- hash_sha256 — 88896d478986d453f5da79b311de39d9b4b1bea95c21af1d8ef181b0f4e52fe9
- hash_sha256 — 21b6409a7b84446310daca5409ad6112ac60a1e4bef97736e53fff5f63bfdef4
- hash_sha256 — ee262510cb246d2b904991aee7fc61162bdae34463439ec6383bd5356479d362
- hash_sha256 — ac2a2208e1726e008be6c73dc0872d9bba163319259dff1b62055ac933ca46b6
- hash_sha256 — 0dc06ecdaa63fe24859cfd955053c23245c536e4733480239d14bebf12688e35
- url — https://api.anthropic.com:443/v1/api
- malware — Shai-Hulud