Mini Shai-Hulud Campaign Hits Red Hat Cloud Services npm Packages
A supply chain attack dubbed 'Mini Shai-Hulud' compromised numerous npm packages, notably within the @redhat-cloud-services namespace. The malicious packages use preinstall hooks to execute an obfuscated loader that decrypts and runs a credential-harvesting payload via the Bun runtime, targeting CI/CD secrets, cloud credentials, and developer tokens for encrypted exfiltration.
- filenametmp.0987654321.lockLock file created by the malware to prevent duplicate running instances.
- npm_package@redhat-cloud-services/chromeRepresentative malicious npm package used in the supply chain attack.
- sha2560dc06ecdaa63fe24859cfd955053c23245c536e4733480239d14bebf12688e35Hash of the decrypted main payload.
- sha25621b6409a7b84446310daca5409ad6112ac60a1e4bef97736e53fff5f63bfdef4Hash of the malicious package/index.js loader.
- sha25688896d478986d453f5da79b311de39d9b4b1bea95c21af1d8ef181b0f4e52fe9Hash of the malicious @redhat-cloud-services_chrome-2.3.1.tar.gz package.
- sha256ac2a2208e1726e008be6c73dc0872d9bba163319259dff1b62055ac933ca46b6Hash of the decrypted Bun helper script.
- sha256ee262510cb246d2b904991aee7fc61162bdae34463439ec6383bd5356479d362Hash of the malicious package/package.json.
- urlhxxps://api[.]anthropic[.]com:443/v1/apiAbused legitimate API endpoint used as the primary destination for encrypted exfiltration.
Detection / HunterGoogle
What Happened
Attackers published malicious software packages that look like legitimate Red Hat Cloud Services tools. When a developer or automated system installs these packages, hidden code automatically runs and steals sensitive passwords, cloud access keys, and source code tokens. This matters because stolen credentials can allow attackers to access company networks, cloud environments, and code repositories. Organizations should check if they downloaded these specific packages, remove them, and immediately change any passwords or keys that might have been exposed.
Key Takeaways
- Malicious npm packages published under the @redhat-cloud-services namespace execute obfuscated payloads during the preinstall phase.
- The malware decrypts and executes a secondary payload using Bun, downloading the Bun runtime silently if not already present.
- The primary goal is harvesting sensitive credentials, including GitHub Actions secrets, cloud provider tokens, and SSH keys.
- Exfiltration occurs via encrypted HTTPS POST to an abused Anthropic API endpoint, with a fallback mechanism of committing encrypted JSON files to GitHub repositories.
- The malware daemonizes on non-CI systems to maintain persistence and continue scanning developer workstations.
Affected Systems
- Node.js environments
- CI/CD pipelines (especially GitHub Actions)
- Developer workstations installing the affected npm packages
Attack Chain
The attack begins when a victim installs a compromised npm package, triggering a preinstall script that runs an obfuscated JavaScript loader. This loader decrypts an embedded payload using AES-128-GCM, writes it to a temporary file, and executes it using the Bun runtime, which it downloads silently if necessary. Once running, the malware harvests sensitive environment variables, cloud credentials, and SSH keys, and daemonizes on non-CI systems for persistence. Finally, the stolen data is compressed, encrypted, and exfiltrated via HTTPS POST to an abused API endpoint, with a fallback mechanism of committing encrypted JSON files to GitHub repositories.
Detection Availability
- YARA Rules: No
- Sigma Rules: No
- Snort/Suricata Rules: No
- KQL Queries: No
- Splunk SPL Queries: No
- EQL Queries: No
- Other Detection Logic: No
The article does not provide ready-to-use detection rules, but it lists numerous behavioral indicators, file paths, and string artifacts that can be used to build custom detections.
Detection Engineering Assessment
EDR Visibility: High — EDR solutions should easily capture process creation events like node spawning curl, unzip, and bun, as well as the creation of suspicious files in /tmp. Network Visibility: Medium — While the exfiltration is encrypted HTTPS, the destination (api.anthropic.com) is unusual for a package installation process. The download of the Bun binary from GitHub releases is also visible. Detection Difficulty: Moderate — The obfuscation and runtime decryption hide the payload from static analysis, but the behavioral chain (node -> curl -> unzip -> bun) during an npm install is highly anomalous and detectable.
Required Log Sources
- Process Creation (Event ID 4688 / Sysmon 1)
- File Creation (Sysmon 11)
- Network Connections (Sysmon 3)
Hunting Hypotheses
| Hypothesis | Telemetry | ATT&CK Stage | FP Risk |
|---|---|---|---|
| Consider hunting for node.js processes spawning curl or wget to download files from GitHub releases, particularly the Bun runtime, which is atypical during standard package installations. | Process Creation | Execution | Low |
| If you have visibility into process execution, look for bun run executing scripts from the /tmp directory (e.g., /tmp/p*.js). | Process Creation | Execution | Low |
| Consider hunting for the execution of 'gh auth token' by non-interactive or background processes, indicating potential credential harvesting. | Process Creation | Credential Access | Low |
| Evaluate whether node.js or bun processes are making unexpected outbound network connections to api.anthropic.com during CI/CD pipeline runs. | Network Connections | Exfiltration | Medium |
Control Gaps
- Static code analysis (bypassed by AES-GCM runtime decryption)
- Standard dependency vulnerability scanners (malware is newly published, not a known CVE)
Key Behavioral Indicators
- node spawning curl or unzip
- node spawning bun
- Creation of tmp.0987654321.lock
- Process environment variable __IS_DAEMON set to 1
False Positive Assessment
- Low
Recommendations
Immediate Mitigation
- Verify against your organization's incident response runbook and team escalation paths before acting.
- Search source repositories, lockfiles, and CI logs for the affected package names (e.g., @redhat-cloud-services/*, @jagreehal/workflow).
- If an affected package was installed, isolate the host and preserve logs before attempting remediation.
- Rotate all potentially exposed credentials, including GitHub tokens, cloud provider keys, and SSH keys.
Infrastructure Hardening
- Consider implementing network egress controls for CI/CD runners to block unexpected outbound traffic during dependency installation.
- Evaluate restricting default GitHub Actions token permissions to least privilege.
- Where practical, run dependency installation with lifecycle scripts disabled by default (--ignore-scripts), then allowlist required scripts.
User Protection
- Consider implementing EDR rules to detect anomalous child processes spawned by package managers (e.g., npm or node spawning curl).
Security Awareness
- Educate developers on the risks of typosquatting and namespace confusion in package registries.
MITRE ATT&CK Mapping
- T1059.007 - Command and Scripting Interpreter: JavaScript
- T1027.002 - Obfuscated Files or Information: Software Packing
- T1078 - Valid Accounts
- T1552.001 - Unsecured Credentials: Credentials In Files
- T1552.004 - Unsecured Credentials: Private Keys
- T1562.001 - Impair Defenses: Disable or Modify Tools
- T1105 - Ingress Tool Transfer
- T1048.002 - Exfiltration Over Alternative Protocol: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol
Additional IOCs
- File Hashes:
21b6409a7b84446310daca5409ad6112ac60a1e4bef97736e53fff5f63bfdef4(SHA256) - Hash of the malicious package/index.js loader.ee262510cb246d2b904991aee7fc61162bdae34463439ec6383bd5356479d362(SHA256) - Hash of the malicious package/package.json.ac2a2208e1726e008be6c73dc0872d9bba163319259dff1b62055ac933ca46b6(SHA256) - Hash of the decrypted Bun helper script.
- File Paths:
/tmp/p*.js- Randomized temporary file path used to stage the decrypted JavaScript payload./tmp/b-*/b.zip- Temporary path used to store the downloaded Bun runtime archive./tmp/b-*/bun- Temporary path for the extracted Bun binary on Linux/macOS./tmp/b-*/bun.exe- Temporary path for the extracted Bun binary on Windows.
- Command Lines:
- Purpose: Executes the malicious loader automatically during package installation | Tools:
node,npm| Stage: Execution |node index.js - Purpose: Executes the decrypted secondary payload | Tools:
bun| Stage: Execution |bun run - Purpose: Silently downloads the Bun runtime if not present on the system | Tools:
curl| Stage: Payload Delivery |curl -sSL - Purpose: Extracts the downloaded Bun runtime archive | Tools:
unzip| Stage: Payload Delivery |unzip -j -o - Purpose: Harvests the local GitHub CLI authentication token | Tools:
gh| Stage: Credential Access |gh auth token
- Purpose: Executes the malicious loader automatically during package installation | Tools:
- Other:
IfYouInvalidateThisTokenItWillNukeTheComputerOfTheOwner- Unique string indicator used in fallback GitHub API commit messages.Miasma: The Spreading Blight- Unique string indicator found in the malware.f4abccab2- Named decryption primitive function found in the payload.thebeautifulmarchoftime- Unique string indicator found in the malware.@jagreehal/workflow- Additional malicious npm package.ai-sdk-ollama- Additional malicious npm package.@vapi-ai/server-sdk- Additional malicious npm package.
