SlowMist|Jun 04, 2026 09:12
✍️ Technical Analysis Published: Red Hat Cloud Services npm Package Supply Chain Poisoning
MistEye detected that multiple npm packages under the @redhat-cloud-services organization (a total of 32 packages and 96 versions) were implanted with a multi-layer obfuscated malicious loader, which is automatically triggered during installation via the preinstall hook.
After full reconstruction, the core payload is confirmed to be a variant of the Shai-Hulud malware family, possessing a wide range of advanced capabilities, including:
🔹GitHub Actions Runner memory reading
🔹Multi-cloud and local credential harvesting
🔹GitHub API exfiltration and dead-drop communication
🔹GitHub workflow injection
🔹npm self-propagation
🔹Persistence via Claude Code / VS Code / systemd / LaunchAgent
🔹Harden-Runner / StepSecurity evasion
🔹EDR/security product detection
We performed full deobfuscation and capability reconstruction on the following three samples:
• @redhat-cloud-services/frontend-components-config@6.11.3
• @redhat-cloud-services/types@3.6.1
• @redhat-cloud-services/rule-components@4.7.2
The report provides a detailed breakdown of the complete multi-stage attack chain, from the outer ROT + AES-GCM layers through multiple obfuscation stages to the final payload execution.
📖 Full technical analysis:
https://medium.com/@slowmist/threat-intelligence-red-hat-cloud-services-npm-package-supply-chain-poisoning-3636786dabfd
Share To
Timeline
HotFlash
APP
X
Telegram
CopyLink