New Shai-Hulud hits npm: @redhat-cloud-services Compromised

A Multi-Stage Dropper Contaminated the @redhat-cloud-services Organization in npm

Overview

An infostealer affecting the @redhat-cloud-services organization in npm, it steals GitHub tokens, npm tokens, AWS, GCP & Azure cloud credentials, and local environment information.

This malware is a variant of the Shai-Hulud malware, now containing the string “Miasma: The Spreading Blight”, it contains the same code and signatures as the original open sourced version of the malware, with more obfuscation and multi-stage loading logic.

Our analysis shows that this variant has infected its first repository on 29 May 2026 06:10:44 +0800. This might be an indication for the threat actor’s testing logic, or a prior infection spreading before the @redheat-cloud-services infection.

This is a direct follow up to the stream of supply chain attacks affecting npm in the recent months.

Who is affected

Anyone who installed the latest version of dependencies from the @redhat-cloud-services during the exposure period.

Impact

  • Total affected packages – 31+ (see table chart below)

  • Total accumulated weekly downloads – 116,282

  • Over 210 repositories in GitHub with stolen credentials.

Recommended Actions

  1. Rotate your keys and add 2FA to your accounts

  2. Downgrade the affected packages to a safe version

Infection Analysis

We found over 210 infected repositories in GitHub containing stolen credentials, you can follow the infection as it spread in this link.

image

The infection is similar to what we’ve seen in the other Shai-Hulud Mini variants, where the stolen information is sent encrypted to a new repository in GitHub

image

image

When searching for infected repositories in GitHub, we can see that the first commit containing the “Miasma: The Spreading Blight” string appeared in 29 May 2026, showing that either this variant was active 4 days ago, or the threat actor started testing around that time.

image

image

Technical Analysis

image

The malware has the same Shai-Hulud infostealing logic, going after environment variables, crypto wallets, AWS, GCP, Azure cloud configurations, SSH keys, npm tokens, GitHub tokens, and basically anything on the machine. It also uses api.anthropic.com as a decoy remote C2 server, while sending the stolen information to a new repository inside GitHub, and changed the original “Shai-Hulud” string with the “Miasma” string for the newly stolen repositories. It also has the same destructive behavior – deleting the affected machine if stolen tokens were revoked.

  1. Uses the victim’s stolen GitHub token to create a public repo on their own account. While using the description for the GitHub repositories created: “Miasma: The Spreading Blight”:

image

  1. Commit sending the stolen secrets to the Exfil repo:

image

  1. AWS Credential Theft including Environment, Profile, EC2, ECS

image

  1. Azure Credential Theft including Token Sources and Key Vault Dump

image

  1. Local File Scanner of Sensitive File Patterns and crypto wallets

image

  1. Kubernetes Secrets and Regex Secret Scanner

image

  1. A decoy HTTP Domain api.anthropic.com C2 Server

image

  1. Running a token check logic and deleting the current machine if the stolen token was revoked – with the following threat string “IfYouInvalidateThisTokenItWillNukeTheComputerOfTheOwner”

Post Infection Technical Analysis

image

After the initial infection, and the already known Shai-Hulud behavior, we found a couple of new and interesting behaviors embedded in even more deeply nested payloads, while the malware has about 14 4th stage payloads, most of them are bun installers, while others have the following logic –

  • Memory dump, targeting Windows, Linux & MacOS

  • Claude Code configuration infection

  • GitHub Actions information leak

  • Python script that downloads a 5th stage payload, that later downloads a 6th stage payload from GitHub, which contains a modified version of the current malware

  • A token monitoring logic

Memory dump logic

image

image

image

GitHub Actions leakage

image

Claude Code malicious hooks

image

Token monitoring logic

image

5th stage payload download script, looking for a GitHub commit containing the string “firedalazer” –

image

It leads to this commit in GitHub

image

Which decodes into the 5th stage payload – https://raw[.]githubusercontent[.]com/letsgo0/sayyadina-phibian-159/refs/heads/main/setup.py

image

And the 5th stage payload actually references a 6th stage payload inside https://raw[.]githubusercontent[.]com/letsgo0/sayyadina-phibian-159/refs/heads/main/index.js

https://raw[.]githubusercontent[.]com/letsgo0/sayyadina-phibian-159/refs/heads/main/index.js

image

The 6th stage payload contains a similar payload to the one found in the original @redhat-cloud-services compromise of this current malware, but with a different payload which we still didn’t analyze

image

Conclusions

We’ve already documented the first phase of TeamPCP copycats, after the group went open source 3 weeks ago. Now we’re looking at more resilient and aggressive variants, not only they changed the “Shai-Hulud” name, it added two more dropper and encryption layers to further hide their infostealing logic. Also adding the “api.anthropic.com” URL as decoy to throw researchers off from understanding what the malware does or where it tries to send the information to.

npm still hasn’t solved their malware problem, and it seems that actions taken to mitigate stealing npm developer accounts are ineffective in blocking supply chain malware from spreading.

Even if npm completely solves the problem of account takeover, npm maintainers could still be tricked or bribed into giving threat actors access to their accounts, injecting malicious code to millions of affected users. We urge npm to focus on malware detection and prevention on their platform, before another GitHub-scale compromise hits again.

Affected Packages

Package name

Affected versions

@redhat-cloud-services/types

3.6.1

@redhat-cloud-services/frontend-components-utilities

7.4.1

@redhat-cloud-services/frontend-components

7.7.2

@redhat-cloud-services/rbac-client

9.0.3

@redhat-cloud-services/javascript-clients-shared

2.0.8

@redhat-cloud-services/frontend-components-config-utilities

4.11.2

@redhat-cloud-services/frontend-components-notifications

6.9.2

@redhat-cloud-services/tsc-transform-imports

1.2.2

@redhat-cloud-services/frontend-components-config

6.11.3

@redhat-cloud-services/eslint-config-redhat-cloud-services

3.2.1

@redhat-cloud-services/host-inventory-client

5.0.3

@redhat-cloud-services/rule-components

4.7.2

@redhat-cloud-services/frontend-components-remediations

4.9.2

@redhat-cloud-services/frontend-components-translations

4.4.1

@redhat-cloud-services/frontend-components-advisor-components

3.8.2

@redhat-cloud-services/entitlements-client

4.0.11

@redhat-cloud-services/chrome

2.3.1

@redhat-cloud-services/notifications-client

6.1.4

@redhat-cloud-services/compliance-client

4.0.3

@redhat-cloud-services/sources-client

3.0.10

@redhat-cloud-services/integrations-client

6.0.4

@redhat-cloud-services/frontend-components-testing

1.2.1

@redhat-cloud-services/remediations-client

4.0.4

@redhat-cloud-services/insights-client

4.0.4

@redhat-cloud-services/topological-inventory-client

3.0.10

@redhat-cloud-services/config-manager-client

5.0.4

@redhat-cloud-services/hcc-pf-mcp

0.6.1

@redhat-cloud-services/quickstarts-client

4.0.11

@redhat-cloud-services/patch-client

4.0.4

@redhat-cloud-services/hcc-feo-mcp

0.3.1

@redhat-cloud-services/hcc-kessel-mcp

0.3.1

The post New Shai-Hulud hits npm: @redhat-cloud-services Compromised appeared first on OX Security.

readers loved this
@oxsecurity