SlowMist
SlowMist|Jun 04, 2026 09:12
✍️ Technical Analysis Published: Red Hat Cloud Services npm Package Supply Chain Poisoning MistEye detected that multiple npm packages under the @redhat-cloud-services organization (a total of 32 packages and 96 versions) were implanted with a multi-layer obfuscated malicious loader, which is automatically triggered during installation via the preinstall hook. After full reconstruction, the core payload is confirmed to be a variant of the Shai-Hulud malware family, possessing a wide range of advanced capabilities, including: 🔹GitHub Actions Runner memory reading 🔹Multi-cloud and local credential harvesting 🔹GitHub API exfiltration and dead-drop communication 🔹GitHub workflow injection 🔹npm self-propagation 🔹Persistence via Claude Code / VS Code / systemd / LaunchAgent 🔹Harden-Runner / StepSecurity evasion 🔹EDR/security product detection We performed full deobfuscation and capability reconstruction on the following three samples: • @redhat-cloud-services/frontend-components-config@6.11.3 • @redhat-cloud-services/types@3.6.1 • @redhat-cloud-services/rule-components@4.7.2 The report provides a detailed breakdown of the complete multi-stage attack chain, from the outer ROT + AES-GCM layers through multiple obfuscation stages to the final payload execution. 📖 Full technical analysis: https://medium.com/@slowmist/threat-intelligence-red-hat-cloud-services-npm-package-supply-chain-poisoning-3636786dabfd
+4
Mentioned
Share To

Timeline

HotFlash

APP

X

Telegram

Facebook

Reddit

CopyLink

Hot Reads