Mini Shai-Hulud Campaign Hits Red Hat Cloud Services npm Packages

Description

A supply chain attack compromised multiple @redhat-cloud-services npm packages, executing malicious payloads automatically during installation via preinstall hooks. The attack uses AES-GCM encrypted payloads and obfuscated JavaScript loaders to harvest GitHub Actions secrets, npm tokens, cloud credentials (AWS, Azure, GCP), Kubernetes and Vault material, SSH keys, Git credentials, and cryptocurrency wallet files. The payload can daemonize on developer workstations, includes Russian-locale avoidance mechanisms, and exfiltrates stolen data through encrypted HTTPS channels with GitHub API fallback mechanisms. The campaign employs tactics similar to the publicly released Shai-Hulud toolkit, though attribution remains unclear due to the availability of open-source attack tooling.