Executive Summary
A critical supply chain attack has recently compromised 32 official NPM packages maintained by Red Hat under the @redhat-cloud-services namespace. This incident, first detected in early June 2026, involved the injection of a credential-stealing worm—an advanced variant of the Mini Shai-Hulud malware—into 96 package versions. These packages collectively receive over 116,000 downloads per week, amplifying the potential impact across the global software supply chain. The attackers exploited a compromised Red Hat employee’s GitHub account and leveraged the trusted publishing mechanism via GitHub Actions OIDC, effectively bypassing traditional NPM token security. The malicious payload was engineered to exfiltrate a wide array of sensitive credentials from both developer endpoints and CI/CD environments, and to self-propagate by republishing trojanized packages using stolen credentials. This attack underscores the urgent need for robust supply chain security controls and immediate remediation for any organization or developer utilizing the affected packages.
Threat Actor Profile
The primary threat actor behind this campaign is identified as TeamPCP, the original authors of the Mini Shai-Hulud malware. However, due to the open-sourcing of the malware’s codebase, multiple threat actors are now leveraging these tools, increasing the risk and complexity of attribution. The attackers demonstrated advanced knowledge of CI/CD pipeline internals, GitHub Actions workflows, and the OIDC trusted publishing process. Their tactics, techniques, and procedures (TTPs) align with those of sophisticated supply chain adversaries, though no direct nation-state attribution has been established. The infrastructure used for command-and-control (C2) includes domains such as api.masscan.cloud, filev2.getsession.org, and git-tanstack.com, and the campaign utilized both direct exfiltration and dead-drop commits on GitHub for data theft.
Technical Analysis of Malware/TTPs
The attack began with the compromise of a Red Hat employee’s GitHub account, granting the adversary privileged access to multiple repositories. The attacker introduced malicious orphan commits—commits not attached to any branch—thereby bypassing standard code review and branch protection mechanisms. A malicious GitHub Actions workflow (ci.yaml) was added, which, in conjunction with the OIDC trusted publishing mechanism, enabled the attacker to obtain short-lived tokens for direct publishing to NPM.
Each affected package was modified to include a preinstall script in its package.json file, typically as "preinstall": "node index.js". The index.js payload, approximately 4.2 MB and heavily obfuscated, executed automatically upon package installation, prior to any legitimate application code. This script harvested a broad spectrum of secrets, including GitHub Actions tokens, cloud provider credentials (AWS, GCP, Azure), HashiCorp Vault tokens, Kubernetes service account tokens and kubeconfig files, NPM and PyPI publish tokens, SSH private keys, Docker registry credentials, GPG keys, and .env files.
Exfiltration was achieved via HTTPS POST requests to attacker-controlled C2 domains and, in some cases, by committing stolen secrets to attacker repositories on GitHub. The worm’s propagation mechanism involved using the compromised credentials to republish backdoored versions of every package the attacker could access, rapidly amplifying the attack’s reach within the NPM ecosystem. Notably, the malware exploited the bypass_2fa parameter in NPM’s publishing process, allowing it to circumvent two-factor authentication protections.
Exploitation in the Wild
The exploitation phase saw the rapid spread of the worm across the NPM ecosystem, with the malware republishing itself to all accessible packages under the compromised account. The attack was not limited to a single organization or sector; rather, it indiscriminately targeted any developer or CI/CD pipeline that installed the affected packages. The observed impact includes widespread credential theft, unauthorized access to cloud and CI/CD environments, and the potential for lateral movement and further supply chain compromise. Security researchers have confirmed that the malware was actively exfiltrating secrets and that the attacker infrastructure remains operational, posing an ongoing risk to organizations that have not yet remediated the compromise.
Victimology and Targeting
The attack primarily targeted organizations and developers utilizing Red Hat’s @redhat-cloud-services NPM packages. This includes sectors such as cloud services, DevOps, CI/CD, and any enterprise or open-source project with dependencies on the affected packages. The global distribution of NPM users means the impact is not geographically constrained; organizations in North America, Europe, Asia, and beyond have been affected. The indiscriminate nature of the worm’s propagation mechanism means that any entity with automated dependency updates or CI/CD pipelines integrating these packages is at heightened risk. Notably, the attack’s focus on harvesting CI/CD and cloud credentials suggests an intent to facilitate further supply chain or cloud infrastructure attacks.
Mitigation and Countermeasures
Immediate remediation steps are critical for any organization or developer that has installed one or more of the compromised packages since June 1, 2026. All CI/CD secrets, cloud provider credentials, SSH keys, and NPM tokens should be considered compromised and must be rotated without delay. A comprehensive audit of all systems and pipelines for unauthorized access or suspicious activity is essential, with particular attention to any anomalous package publishing events or workflow modifications.
All affected package versions must be removed and replaced with verified clean versions. Organizations should review and harden their CI/CD pipeline security, focusing on GitHub Actions workflow permissions, OIDC token usage, and the implementation of strict code review and branch protection rules. Monitoring for orphan commits and unauthorized workflow changes is recommended, as is the deployment of advanced dependency scanning and supply chain security tools such as Aikido Safe Chain and other software composition analysis (SCA) solutions.
Long-term, organizations should maintain vigilance by subscribing to advisories from Red Hat, NPM, and leading security vendors, and by continuously monitoring for new indicators of compromise (IOCs) associated with this and similar supply chain threats.
References
Aikido Security: Red Hat npm Packages Compromised to Spread a Credential-Stealing Worm
Red Hat Advisory: Multiple Supply Chain Attacks against npm Packages
SecurityWeek: Supply Chain Attack Hits 32 Red Hat NPM Packages
StepSecurity: Mini Shai-Hulud is Back
MITRE ATT&CK Framework: https://attack.mitre.org/
Red Hat CVE Database: https://access.redhat.com/security/cve/
Reddit: Multiple Red Hat npm Packages Reportedly Hijacked
GitHub Issue: Several npm latest releases were compromised
About Rescana
Rescana is a leader in third-party risk management (TPRM), providing organizations with a comprehensive platform to continuously monitor, assess, and mitigate cyber risks across their entire supply chain. Our advanced analytics and automation capabilities empower security teams to proactively identify vulnerabilities, enforce compliance, and respond rapidly to emerging threats. For more information about how Rescana can help secure your software supply chain, or for any questions regarding this advisory, please contact us at ops@rescana.com.
