June 3, 2026

Red Hat npm packages compromised with credential stealing worm

Written by:

ThreatLocker Threat Intelligence

Red Hat compromise resembles Mini Shai-Hulud project from TeamPCP

On June 1, 2026, multiple packages published under the Red Hat npm namespace @redhat-cloud-services were backdoored with a credential-stealing worm closely resembling the publicly released Mini Shai-Hulud project from TeamPCP.

Affected packages target information such as npm tokens, GitHub tokens, cloud credentials (AWS, Google Cloud, Azure), and local build/development information or secrets.

The compromised packages utilize a preinstall script that references a suspiciously inflated index.js file, which traditionally are small in size. The malicious install script contained multiple layers of obfuscations, multi-stage payload delivery, self-propagating properties with the ability to publish malicious files without two-factor authentication, and of course as previously mentioned info-stealing capabilities targeting enterprise environments.

Red Hat Product Security confirmed the supply chain compromise affected hundreds of Node.js (nom) components but stated that no compromised versions are by any Red Hat software.

Miasma variant of Mini Shai-Hulud steals credentials and secrets, delivers self-propagating worm

On June 1, 2026, 6:52 a.m. EDT, a Red Hat developer identity “justinorringer”, was used to make the first out of many malicious commits to the Red Hat npm namespace.

Notable malicious commit activity was made by this account to RedHatInsights/insights-chrome, where a setup.js file was published that contained heavily obfuscated JavaScript. The first stage relied on character code substitution and regular expression replacement to parse 1.2 million numbers into text, which led to the next layer of obfuscation.

The next stage of obfuscation uses AES-128-GCM to decrypt two hexadecimal strings, each with their own AES keys and IV values.

The first shorter string installs the Bun execution framework on Windows, Linux, and Mac operating systems from the public GitHub repository. The second string decrypts into another layer of obfuscation, now clearly shown as minified JavaScript. Deobfuscating this level provides the logic layer that holds the final payloads.

The final layer, after three layers of obfuscation and encryption, holds logic consistent with the Mini Shai-Hulud infostealer and uses a custom decryptor for strings that could possibly be detected at this level. Considering that the strings must be decrypted at runtime, the decryptor function can be used to reveal these protected strings.

Several types of credentials and secrets are specified including GitHub actions and workflows, AWS, Anthropic, Jenkins, CircleCI, BitBucket, Vercel, Netlify, and npm. If npm credentials are found, a “publish” command is sent to abuse trust relationships between GitHub and npm to publish the malicious packages.

Captured GitHub secrets and credentials are used to propagate the worm as Shai-Hulud variants are known for.

The final payloads use a second AES-based decryptor function to provide several different files that include local scripts used for memory dumping and persistence, poisoned files used to propagate through GitHub, and encryption keys for outbound connections.

The cat.py script used for persistence queries GitHub for commits containing the keyword firedalazer, and if the commit message verifies against an embedded public key, the URL provided in the message is navigated to, and the containing payload is downloaded and executed.

Payloads received through this source have since been removed, and they are likely only hosted by the attackers for as long as needed.

*Figure 9: PowerShell Runner.Worker Stealer*

Mitigations for Miasma variant of Mini Shai-Hulud

To mitigate the risk of a breach resulting from the Mini Shai-Hulud Miasma variant, organizations should implement multiple layers of hardening across their software supply chain and CI/CD infrastructure.

Dependency installation processes should disable npm lifecycle scripts whenever possible (for example, by using npm ci --ignore-scripts) and only permit approved installation scripts when explicitly required.

Additional supply chain protections should include:

Enforcing package cool-down periods for newly published versions
Leveraging malicious-package intelligence feeds
Maintaining dependency allowlists
Enforcing lockfiles
Performing package behavior analysis
Maintaining SBOM-based inventories.

GitHub Actions permissions should be restricted by default, with id-token: write privileges granted only to tightly scoped release jobs. Publishing workflows should require protected branches and environments, and untrusted workflow modifications should be prevented from obtaining publish-capable identities.

Organizations should also validate build provenance beyond repository ownership and workflow paths by verifying branch and reference information, commit signing status, protected environments, source commits, workflow changes, build triggers, and expected artifacts.

Continuous monitoring of CI/CD systems and developer workstations for suspicious outbound connections during package installation is recommended, particularly for unexpected communications involving GitHub API write operations, npm token endpoints, Bun runtime downloads, cloud metadata services, and api.anthropic.com:443/v1/api.

Finally, runner-level security controls should be considered to monitor process execution, file access, network egress, and memory access during dependency installation activities. Such controls may help detect observed behaviors.

IOCs

GitHub repository markers

Miasma: The Spreading Blight
Miasma : The Spreading Blight
try{eval(function(s,n){return s.replace(/[a-zA-Z]/g,function(c)
results-<timestamp>-<counter>.json
results/results-<timestamp>-<counter>.json
IfYouInvalidateThisTokenItWillNukeTheComputerOfTheOwner
IfYouInvalidateThisTokenItWillNukeTheComputerOfTheOwner:<token>

Host artifacts and execution indicators

preinstall lifecycle script executing node index.js
node index.js
bun run /tmp/p*.js
/tmp/p<random>.js
/tmp/b-*/b.zip
/tmp/b-*/bun
/tmp/b-*/bun.exe
tmp.0987654321.lock
curl -sSL
unzip -j -o
gh auth token
ps aux 2>/dev/null
tasklist 2>/dev/null]
sudo python3
__IS_DAEMON
SKIP_DOMAIN

String indicators

f4abccab2
thebeautifulmarchoftime
python-requests/2.31.0
gh auth token
"preinstall":"node index.js"
"main":"index.js"
createDecipheriv("aes-128-gcm"
createCipheriv("aes-256-gcm"
RSA_PKCS1_OAEP_PADDING
oaepHash:"sha256"

File/token collection

~/.aws/config
~/.aws/credentials
~/.azure/accessTokens.json
~/.azure/msal_token_cache.*
~/.config/gcloud/application_default_credentials.json
~/.config/gcloud/access_tokens.db
~/.config/gcloud/credentials.db
~/.docker/config.json
/root/.docker/config.json
/var/run/docker.sock
~/.kube/config
/var/run/secrets/kubernetes.io/serviceaccount/token
/etc/rancher/k3s/k3s.yaml
.env
.env.local
.env.production
~/.npmrc
.npmrc
~/.yarnrc
~/.pypirc
~/.netrc
~/.ssh/id*
~/.ssh/id_rsa
~/.ssh/id_ed25519
~/.ssh/config
~/.ssh/known_hosts
/etc/ssh/ssh_host_*_key
~/.git-credentials
.git-credentials
~/.config/git/credentials
~/.gitconfig
~/.bitcoin/wallet.dat
~/.ethereum/keystore/*
~/.electrum/wallets/*

Targeted secrets

GITHUB_TOKEN
ACTIONS_RUNTIME_TOKEN
ACTIONS_ID_TOKEN_REQUEST_URL
ACTIONS_ID_TOKEN_REQUEST_TOKEN
NPM_TOKEN
AWS_ACCESS_KEY_ID
AWS_SECRET_ACCESS_KEY
AWS_SESSION_TOKEN
AWS_SHARED_CREDENTIALS_FILE
AWS_CONFIG_FILE
AWS_CONTAINER_CREDENTIALS_RELATIVE_URI
AWS_CONTAINER_CREDENTIALS_FULL_URI
AWS_WEB_IDENTITY_TOKEN_FILE
AWS_ROLE_ARN
AWS_ROLE_SESSION_NAME
AWS_PROFILE
AZURE_TENANT_ID
ARM_TENANT_ID
AZURE_CLIENT_ID
ARM_CLIENT_ID
AZURE_CLIENT_SECRET
ARM_CLIENT_SECRET
AZURE_FEDERATED_TOKEN_FILE
ARM_OIDC_TOKEN_FILE_PATH
GOOGLE_APPLICATION_CREDENTIALS
GCP_PROJECT
GCLOUD_PROJECT
GOOGLE_CLOUD_PROJECT
DEVSHELL_PROJECT_ID
KUBECONFIG
KUBERNETES_SERVICE_HOST
KUBERNETES_SERVICE_PORT
VAULT_ADDR
VAULT_TOKEN
VAULT_AUTH_TOKEN
VAULT_API_TOKEN

Token patterns

gh[op]_[A-Za-z0-9]{36,}
npm_[A-Za-z0-9]{36,}
ghs_\\d+_[A-Za-z0-9_-]+\\.[A-Za-z0-9_-]+\\.[A-Za-z0-9_-]+
ghs_[A-Za-z0-9]{36,}

Embedded publickeys

—–BEGIN PUBLIC KEY—–MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAy/uXzJGGCEF39GtSJk9H
34cWHM9XaRYrvMI0FnDi77ZRt1bMtva4xn/gdYS0koxVYkJBO55qCTNVf5SCxeHx
t6qdsF9Ofdh2i/HXqcRLo2M49Pw9wFGZTo15CSAaqj1SNtgjj8UvLXkVkS+Cah0d
U5xcdqV/trniKtf5Thu8hq3FGPlR+PIi9JHMedXVuNpp0U6RXeM/8KU++DFysR7U
SgBqENN1HATGi9TafjIjO47rs/lSCGJu7zt/68Goi8fij+u5vV/ML7hg28DoiAuF
NGfxzxbUNJRcuNildoWOup1E0DcimV93T8it7R+o/nd/XTGj82ncpfGQgirNILn9
xY2glt11LoFw/OikSApZP66IUE4VgoxEx22zW717La3EXcs2UTfo0mEAYi9SMuAw
ZLE+XuHV1x5VLkrVNUqs3XME0KKzbSyzoHOd/GPZNYvY5iasl7GdiaMYXEZUouNG
ZaQPp0IZ0t5Z0uI+oCre85avpAgcROBo5VxZcwi/WL9l/TXxAGdSjgfKNvCmkWvD
JWwYcrWe6sE68Q4G/LeZIHdNBjQ0G9Awkn/5UfIRfpMOPc+usLvhRbUqo37ADG4H
mvh9ZgjU3iXfSoCLxWDA7l5Bpvuoob4r6Tg/1DFld2LPboVqqj/ifiaUbjdZLrDf
hiLx1mYHyEdCkpwm5U/LSesCAwEAAQ==
—–END PUBLIC KEY—–

—–BEGIN PUBLIC KEY—–
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAifY0q2qOZke8FTr7c23d
bn7yQlZNQB9oCWqmjtcgz8gIxv4Q+xrDjdGWTRb0q+IIjyReORkoSitE0SAgiX4b
3hgCy16BEhjPfn+VxFRW0fWWN+mTWll1TRYzRVzWXiWvsKO1AjDn1dXc+MJqdkzJ
ZT6c+hoMMlwDCzhVYGUUFi8meOl45TakK7nReM4PHf+yNk+m4pAsaJrTJVYo9TCZ
VH/kkRwpftxhiS1A1XEqSy7A4kvf23jL07/obRv2BB+nJDbghZBV+6iMCYmlTOds
6kHP0AN7PAAcyQLBwonvT3sczTOUJo/vTimXBDzXQrZfdY4n5p6PF1oLd9oFw0d7
SUeIy36cPWxA+NQDnOYlLkCmXCEHUGAvjbAWybk5ITXSNQFxZe6lebhKPsItLEX6
3j0BByRfOy8eiPm/sN1tRypZeGf8Hwgdmr3oVvg2U6rZ1aolbJuvJRWkk1ew465x
Jxfzrn+e364LsPpa7Mr4DHxVOHIYp5Ni9v04AQRUVQnZDgpOkcV9o24TSxCAwpOg
jaidcXlcajxjuDik2Cpk+3XHV3o3fJN2j0YYkdP+5XYPCJnuocl8Q3zkKmUp/GTS
9GuPr2KKH1RMAWWqk0hLPr1o/Q8O3arYPzRD72U70XFvDV+B/yZIfZGMbVK+2zGL
FJxUW1wNmX4kjCKhlFd/QLUCAwEAAQ==
—–END PUBLIC KEY—–