Forking Shai-Hulud: RedHat npm Packages Are The Next Victim After GitHub Actions Compromise and Worm

RedHat becomes the latest victim of an npm worm after a breach affected numerous packages in the @redhat-cloud-services npm organization. With a multi-stage credential harvester that execute automatically via preinstall hooks during npm install.

profile image
Katie Paxton-Fear
linkedin logo
June 1st, 2026

What Happened

RedHat becomes the latest victim of an npm worm after a breach affected numerous packages in the @redhat-cloud-services npm organization. Unlike previous attacks, the Dune theme is now replaced with Greek Mythology, suggesting that this attack will likely be a fork of the Mini Shai-Hulud malware, open sourced by TeamPCP last month.The malicious packages contain multi-stage credential harvester that execute automatically via preinstall hooks during npm install. The payload targets secrets from GitHub Actions, AWS, GCP, Azure, Kubernetes, HashiCorp Vault, npm tokens, and CircleCI. All packages were published using compromised GitHub Actions OIDC tokens from the RedHatInsights/javascript-clients repository.

Affected Packages

  • @redhat-cloud-services/chrome version 2.3.1

  • @redhat-cloud-services/compliance-client version 4.0.3

  • @redhat-cloud-services/config-manager-client version 5.0.4

  • @redhat-cloud-services/entitlements-client version 4.0.11

  • @redhat-cloud-services/eslint-config-redhat-cloud-services version 3.2.1

  • @redhat-cloud-services/frontend-components version 7.7.2

  • @redhat-cloud-services/frontend-components-advisor-components version 3.8.2

  • @redhat-cloud-services/frontend-components-config version 6.11.3

  • @redhat-cloud-services/frontend-components-config-utilities version 4.11.2

  • @redhat-cloud-services/frontend-components-notifications version 6.9.2

  • @redhat-cloud-services/frontend-components-remediations version 4.9.2

  • @redhat-cloud-services/frontend-components-testing version 1.2.1

  • @redhat-cloud-services/frontend-components-translations version 4.4.1

  • @redhat-cloud-services/frontend-components-utilities version 7.4.1

  • @redhat-cloud-services/hcc-feo-mcp version 0.3.1

  • @redhat-cloud-services/hcc-kessel-mcp version 0.3.1

  • @redhat-cloud-services/hcc-pf-mcp version 0.6.1

  • @redhat-cloud-services/host-inventory-client version 5.0.3

  • @redhat-cloud-services/insights-client version 4.0.4

  • @redhat-cloud-services/integrations-client version 6.0.4

  • @redhat-cloud-services/javascript-clients-shared version 2.0.8

  • @redhat-cloud-services/notifications-client version 6.1.4

  • @redhat-cloud-services/patch-client version 4.0.4

  • @redhat-cloud-services/quickstarts-client version 4.0.11

  • @redhat-cloud-services/rbac-client version 9.0.3

  • @redhat-cloud-services/remediations-client version 4.0.4

  • @redhat-cloud-services/rule-components version 4.7.2

  • @redhat-cloud-services/sources-client version 3.0.10

  • @redhat-cloud-services/topological-inventory-client version 3.0.10

  • @redhat-cloud-services/tsc-transform-imports version 1.2.2

  • @redhat-cloud-services/types version 3.6.1

For Semgrep Customers

  1. Trigger a new scan if you haven't recently on your projects

  2. Check the advisories page to see if any projects have installed these package versions recently 

  3. Or use the dependency filter. If you see “No matching dependencies” you are not actively using the malicious dependency in any of your projects. 

  4. If you did match additional indicators of compromise are below, however you should rotate all credentials listed below, with a focus on secrets from CI/CD environments, all cloud credentials, package managers and ./env files.

Indicators of Compromise

Packages

@redhat-cloud-services/chrome@2.3.1
@redhat-cloud-services/compliance-client@4.0.3
@redhat-cloud-services/config-manager-client@5.0.4
@redhat-cloud-services/entitlements-client@4.0.11
@redhat-cloud-services/eslint-config-redhat-cloud-services@3.2.1
@redhat-cloud-services/frontend-components@7.7.2
@redhat-cloud-services/frontend-components-advisor-components@3.8.2
@redhat-cloud-services/frontend-components-config@6.11.3
@redhat-cloud-services/frontend-components-config-utilities@4.11.2
@redhat-cloud-services/frontend-components-notifications@6.9.2
@redhat-cloud-services/frontend-components-remediations@4.9.2
@redhat-cloud-services/frontend-components-testing@1.2.1
@redhat-cloud-services/frontend-components-translations@4.4.1
@redhat-cloud-services/frontend-components-utilities@7.4.1
@redhat-cloud-services/hcc-feo-mcp@0.3.1
@redhat-cloud-services/hcc-kessel-mcp@0.3.1
@redhat-cloud-services/hcc-pf-mcp@0.6.1
@redhat-cloud-services/host-inventory-client@5.0.3
@redhat-cloud-services/insights-client@4.0.4
@redhat-cloud-services/integrations-client@6.0.4
@redhat-cloud-services/javascript-clients-shared@2.0.8
@redhat-cloud-services/notifications-client@6.1.4
@redhat-cloud-services/patch-client@4.0.4
@redhat-cloud-services/quickstarts-client@4.0.11
@redhat-cloud-services/rbac-client@9.0.3
@redhat-cloud-services/remediations-client@4.0.4
@redhat-cloud-services/rule-components@4.7.2
@redhat-cloud-services/sources-client@3.0.10
@redhat-cloud-services/topological-inventory-client@3.0.10
@redhat-cloud-services/tsc-transform-imports@1.2.2
@redhat-cloud-services/types@3.6.1

Domains / C2 Servers

  • This malware uses a GitHub dead-drop with the description “Miasma: The Spreading Blight”

Files / System Artifacts

  •  A very large index.js file with unusual size (4.2 MB obfuscated payload)

  • package.json file with preinstall hooks executing node index.js, if you are using npm install --ignore-scripts or ignore scripts by default, while you will have the obfuscated payload it would not have run

  • Claude Code SessionStart hook in ~/.claude/settings.json

  • VSCode folderOpen task trigger in .vscode/tasks.json

Data Exfiltrated

Similar to Mini Shai-Hulud this worm is designed for CI/CD environments, first used during the TanStack attack, but follows the same pattern of compromise, and spread.


  1. Initial access via a compromised token from previous attacks or a vulnerable GitHub Action

  2. Republish all packages with an obfuscated malware payload which harvested credentials

  3. As soon as a user installs the malicious package the payload activates stealing credentials

  4. If the user has npm credentials, find all the packages the user has write access to, and republish the worm

  5. Drop all the credentials into a C2 or the victim’s GitHub via a new repository


This fork is modified, however, looking for more credentials for Cloud environments and development tools than the original Mini Shai-Hulud (which also collected cryptocurrency wallets and related tokens in addition to the development tools). Also reading directly from the GitHub Actions Runner’s memory to find environment vars on the runner itself.

Category

Target

Credentials / files harvested

CI/CD

GitHub Actions

GITHUB_TOKEN, ACTIONS_RUNTIME_TOKEN, ACTIONS_ID_TOKEN_REQUEST_TOKEN, NPM_TOKEN

Cloud

AWS

AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_SESSION_TOKEN, ~/.aws/credentials

GCP

Application default credentials, service account key files

Azure

Service principal credentials, AZURE_CLIENT_SECRET, managed identity tokens

HashiCorp Vault

VAULT_TOKEN, VAULT_ADDR

K8s / Containers

Kubernetes

In-cluster service account token, ~/.kube/config

Docker

~/.docker/config.json (registry auth)

Package mgrs

npm

~/.npmrc (publish tokens)

PyPI

~/.pypirc

Dev tools

SSH

~/.ssh/id_rsa, ~/.ssh/id_ed25519, all private key files

GPG

~/.gnupg/

Secrets mgmt

General

.env files throughout the filesystem


Source: StepSecurity

Dive deeper into or continue reading our featured posts.

April 20, 2026
Mythos: Bad Takes, Facts, and Fear
profile image
Isaac Evans
March 19, 2026
Will there be more security engineers in the future, or fewer?
profile image
Isaac Evans
March 18, 2026
Introducing Semgrep Custom Workflows
profile image profile image
Vivek Khimani Braden Riggs