Mini Shai-Hulud Campaign Hits Red Hat Cloud Services npm Packages

Socket has uncovered a malicious npm supply chain attack affecting @redhat-cloud-services packages, employing tactics similar to the Shai-Hulud campaign, which involves install-time execution, credential harvesting, and potential propagation to downstream systems. The attack leverages a preinstall hook to run obfuscated malware upon npm install, targeting sensitive information like GitHub Actions secrets, npm tokens, cloud credentials, and more, with encrypted exfiltration and fallback mechanisms via GitHub. The malicious packages execute a JavaScript loader that decrypts and runs hidden payloads, evading static review. The threat is exacerbated by the public availability of Shai-Hulud attack tooling, complicating attribution. Socket's analysis notes that the malware aims to collect extensive credentials and possibly facilitate further supply chain attacks, prompting ongoing analysis and public tracking of affected packages.