Red Hat npm Packages Compromised to Spread a Credential-Stealing Worm

Aikido Security's Blog

GlassWorm goes native: New Zig dropper infects every IDE on your machine Aikido Attack finds multiple 0-days in Hoppscotch The cybersecurity doomerism around Mythos doesn't match what we see on the ground axios compromised on npm: maintainer account hijacked, RAT deployed Popular telnyx package compromised on PyPI by TeamPCP Aikido × Lovable: Vibe, Fix, Ship CanisterWorm Gets Teeth: TeamPCP's Kubernetes Wiper Targets Iran TeamPCP deploys CanisterWorm on NPM following Trivy compromise Security testing is validating software that no longer exists Aikido Recognized by Frost & Sullivan with the 2026 Customer Value Leadership Award in ASPM GlassWorm Hides a RAT Inside a Malicious Chrome Extension fast-draft Open VSX Extension Compromised by BlokTrooper Glassworm Strikes Popular React Native Phone Number Packages Glassworm Is Back: A New Wave of Invisible Unicode Attacks Hits Hundreds of Repositories How Security Teams Fight Back Against AI-Powered Hackers Introducing Betterleaks, an open source secrets scanner by the author of Gitleaks Trump’s 2026 cybersecurity strategy: From compliance to consequence How does AI pentesting work with compliance? What continuous pentesting actually requires Rare Not Random: Using Token Efficiency for Secrets Scanning Persistent XSS/RCE using WebSockets in Storybook’s dev server Why Determinism Is Still a Necessity in Security WAF vs. RASP vs. ADR Introducing Aikido Infinite: A new model of self-securing software How Aikido secures AI pentesting agents by design Astro Full-Read SSRF via Host Header Injection How to Get Your Board to Care About Security (Before a Breach Forces the Issue) What is Slopsquatting? The AI Package Hallucination Attack Already Happening SvelteSpill: A Cache Deception Bug in SvelteKit + Vercel Top 6 Wiz Code Alternatives Aikido recognized as Platform Leader in Latio Tech's 2026 Application Security Report From detection to prevention: How Zen stops IDOR vulnerabilities at runtime npm backdoor lets hackers hijack gambling outcomes Introducing Upgrade Impact Analysis: When breaking changes actually matter to your code Why Trying to Secure OpenClaw is Ridiculous Claude Opus 4.6 found 500 vulnerabilities. What does this change for software security? Introducing Aikido Expansion Packs: Safer defaults inside the IDE International AI Safety Report 2026: What It Means for Autonomous AI Systems Self-Securing Software: What It Is, Why It Matters, and How It Works npx Confusion: Packages That Forgot to Claim Their Own Name What Is Continuous Pentesting? Introducing Aikido Package Health: a Better Way to Trust Your Dependencies AI Pentesting: Minimum Safety Requirements for Security Testing Secure SDLC for Engineering Teams (+ Checklist) Fake Clawdbot VS Code Extension Installs ScreenConnect RAT G_Wagon: npm Package Deploys Python Stealer Targeting 100+ Crypto Wallets Gone Phishin': npm Packages Serving Custom Credential Harvesting Pages Malicious PyPI Packages spellcheckpy and spellcheckerpy Deliver Python RAT Top 10 AI Security Tools For 2026 Agent Skills Are Spreading Hallucinated npx Commands Understanding Open-Source License Risk in Modern Software The CISO Vibe Coding Checklist for Security Top 6 Graphite alternatives for AI code review in 2026 From “No Bullsh*t Security” to $1B: We Just Raised Our $60m Series B Critical n8n Vulnerability Allows Unauthenticated Remote Code Execution (CVE-2026-21858) Top 14 VS Code Extensions for 2026 AI-Driven Pentesting of Coolify: Seven CVEs Identified Top Continuous Pentesting Tools in 2026 SAST vs SCA: Securing the Code You Write and the Code You Depend On JavaScript, MSBuild, and the Blockchain: Anatomy of the NeoShadow npm Supply-Chain Attack How Engineering and Security Teams Can Meet DORA’s Technical Requirements IDOR Vulnerabilities Explained: Why They Persist in Modern Applications Shai Hulud strikes again - The golden path MongoBleed: MongoDB Zlib Vulnerability (CVE-2025-14847) and How to Fix It First Sophisticated Malware Discovered on Maven Central via Typosquatting Attack on Jackson The Fork Awakens: Why GitHub’s Invisible Networks Break Package Security Top 10 Cyber Security Tools For 2026 SAST in the IDE is now free: Moving SAST to where development actually happens AI Pentesting in Action: A TL;DV Recap of Our Live Demo The Top 7 Threat Intelligence Tools in 2026 React & Next.js DoS Vulnerability (CVE-2025-55184): What You Need to Fix After React2Shell OWASP Top 10 for Agentic Applications (2026): What Developers and Security Teams Need to Know DAST vs Pentesting v AI Pentesting: Why DAST Cannot Replace Modern Pentesting PromptPwnd: Prompt Injection Vulnerabilities in GitHub Actions Using AI Agents Top 7 Cloud Security Vulnerabilities Critical React & Next.js RCE Vulnerability (CVE-2025-55182): What You Need to Fix Now How to Comply With the UK Cybersecurity & Resilience Bill: A Practical Guide for Modern Engineering Teams Shai Hulud 2.0: What the Unknown Wonderer Tells Us About the Attackers’ Endgame SCA Everywhere: Scan and Fix Open-Source Dependencies in Your IDE Safe Chain now enforces a minimum package age before install Shai Hulud Attacks Persist Through GitHub Actions Vulnerabilities Shai Hulud Launches Second Supply-Chain Attack: Zapier, ENS, AsyncAPI, PostHog, Postman Compromised CORS Security: Beyond Basic Configuration Revolut Selects Aikido Security to Power Developer-First Software Security The Future of Pentesting Is Autonomous How Aikido and Deloitte are bringing developer-first security to enterprise Secrets Detection: A Practical Guide to Finding and Preventing Leaked Credentials Invisible Unicode Malware Strikes OpenVSX, Again AI as a Power Tool: How Windsurf and Devin Are Changing Secure Coding Building Fast, Staying Secure: Supabase’s Approach to Secure-by-Default Development OWASP Top 10 2025: Official List, Changes, and What Developers Need to Know Top 10 JavaScript Security Vulnerabilities in Modern Web Apps The Return of the Invisible Threat: Hidden PUA Unicode Hits GitHub repositorties Top 7 Black Duck Alternatives in 2026 What Is IaC Security Scanning? Terraform, Kubernetes & Cloud Misconfigurations Explained AutoTriage and the Swiss Cheese Model of Security Noise Reduction Top Software Supply Chain Security Vulnerabilities Explained The Top 7 Kubernetes Security Tools Top 10 Web Application Security Vulnerabilities Every Team Should Know What Is CSPM (and CNAPP)? Cloud Security Posture Management Explained

Ilyas Makari · 2026-06-01 · via Aikido Security's Blog

On June 1, 2026, we detected multiple official packages from the @redhat-cloud-services scope on npm were compromised with a credential-stealing worm. In total, 96 versions across 32 packages have been compromised, cumulatively downloaded 116,991 times per week. The malware appears similar to the Mini Shai-Hulud malware that was recently open-sourced by TeamPCP. Since the tooling was made publicly available, other threat actors now have access to the same techniques and can replicate or adapt them. The packages were published via GitHub Actions OIDC, indicating the CI/CD pipeline was compromised rather than an npm token. If you have installed any affected package versions since June 1, 2026, treat all CI secrets, cloud credentials, SSH keys, and npm tokens as compromised and rotate them immediately.

Timeline of the Mini Shai-Hulud campaign

April 22, 2026 - @bitwarden/cli compromised via a poisoned GitHub Actions workflow. The payload self-identifies as "Shai-Hulud: The Third Coming."
April 29, 2026 - Four SAP npm packages compromised through an npm token leaked via a malicious CircleCI pull request build.
April 30, 2026 - PyTorch Lightning compromised on PyPI, versions 2.6.2 and 2.6.3.
May 12, 2026 - Mini Shai-Hulud Hits over 160 Packages, including Mistral and Tanstack.
May 12, 2026 - TeamPCP publishes the full Shai-Hulud source code to GitHub, alongside posts on BreachForums encouraging others to run their own campaigns.
May 19, 2026 - Microsoft's DurableTask npm package compromised, caused by a previously compromised GitHub account.
June 1, 2026 - Over 30 @redhat-cloud-services npm packages compromised with Miasma, a new variant of Mini Shai-Hulud.

Miasma: Is Shai-Hulud back?

The payload embedded across the affected packages has strong resemblances to Mini Shai-Hulud, the supply chain malware open-sourced by TeamPCP. Interestingly, this version calls itself "Miasma" and appears to have replaced the familiar Dune references of Shai-Hulud with Greek mythology.

TeamPCP is a threat actor group that has been running targeted CI/CD supply chain attacks for several months. Their Mini Shai-Hulud malware is a sophisticated credential-stealing worm that spreads by republishing backdoored versions of packages the victim account has access to. We have previously reported on compromises affecting Mistral and TanStack, Microsoft's Durable Task, PyTorch Lightning, Bitwarden CLI, and Intercom, all traced back to the same tooling.

When TeamPCP open-sourced Mini Shai-Hulud, the threat expanded beyond a single actor. Any group can now pick up the framework, adapt it, and deploy it against new targets.

Trusted publishing bypass

Trusted publishing is a mechanism npm introduced to eliminate long-lived publish tokens from CI/CD pipelines, replacing them with short-lived OIDC tokens issued by GitHub Actions. It was designed to be more secure, but as recent attacks show, it can be bypassed if an attacker gains access to a CI/CD pipeline through a vulnerability or compromised token.

We found a Red Hat employee's GitHub account was compromised and used to push malicious orphan commits directly to several repositories, bypassing code review entirely. Those orphan commits contained a workflow file (ci.yaml) and a script (_index.js).

name: release
on:
  push:
    branches: ['*']
jobs:
  release:
    runs-on: ubuntu-latest
    permissions:
      id-token: write
      contents: read
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
      - uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6
      - name: prepare
        run: bun run _index.js
        env:
          OIDC_PACKAGES: "@redhat-cloud-services/frontend-components-advisor-components, @redhat-cloud-services/chrome, @redhat-cloud-services/frontend-components, @redhat-cloud-services/frontend-components-config-utilities, @redhat-cloud-services/frontend-components-config, @redhat-cloud-services/eslint-config-redhat-cloud-services, @redhat-cloud-services/frontend-components-notifications, @redhat-cloud-services/frontend-components-remediations, @redhat-cloud-services/rule-components, @redhat-cloud-services/frontend-components-testing, @redhat-cloud-services/frontend-components-translations, @redhat-cloud-services/tsc-transform-imports, @redhat-cloud-services/types, @redhat-cloud-services/frontend-components-utilities"
          WORKFLOW_ID: "ci.yaml"
          REPO_ID_SUFFIX: "RedHatInsights/frontend-components"

When the workflow runs, it installs Bun and executes _index.js, passing it a list of target packages via the OIDC_PACKAGES environment variable. The script uses the id-token: write permission to request a short-lived OIDC token from GitHub, then uses that token to authenticate directly with npm's trusted publishing endpoint and publish backdoored versions of every package in the list.

This is the same fundamental pattern seen in the TanStack and Bitwarden compromises: the CI/CD pipeline itself becomes the attack surface, while OIDC-based trusted publishing - designed to eliminate long-lived tokens - becomes a misleading trust signal.

The preinstall script

Each compromised package declares a preinstall script in its package.json that executes node index.js automatically on every npm install, before any application code runs and before the developer has any indication something is wrong.

"scripts": {
  "preinstall": "node index.js"
}

The index.js file is 4.2 MB payload hidden behind multiple layers of obfuscation.

What it steals

As with previous Mini Shai-Hulud attacks, the payload performs a broad credential sweep across cloud providers, CI/CD environments, and developer tooling. On the CI side it targets GitHub Actions secrets including GITHUB_TOKEN and ACTIONS_RUNTIME_TOKEN. For cloud credentials it collects AWS access keys and session tokens, GCP application default credentials and service account key files, and Azure service principal credentials and managed identity tokens. It also sweeps for HashiCorp Vault tokens, Kubernetes service account tokens and kubeconfig files, npm and PyPI publish tokens, SSH private keys, Docker registry credentials, GPG keys, and any .env files it can find across the filesystem.

How Aikido detects this

If you are an Aikido user, check your central feed and filter on malware issues. This will surface as a 100/100 critical issue. Aikido rescans nightly, but we recommend triggering a manual rescan now.

If you are not yet an Aikido user, you can create an account and connect your repos. Our malware coverage is included in the free plan, no credit card required.

For broader coverage across your whole team, Aikido's Device Protection gives you visibility and control over the software packages installed on your team's devices. It covers browser extensions, code libraries, IDE plugins, and build dependencies, all in one place. Stop malware before it gets installed.

For future protection, consider Aikido Safe Chain (open source). Safe Chain sits in your existing workflow, intercepting npm, npx, yarn, pnpm, and pnpx commands and checking packages against Aikido Intel before install.

‍Indicators of Compromise

If you have installed any of the following package versions, treat all CI secrets, cloud credentials, SSH keys, and npm tokens as compromised and rotate them immediately:

@redhat-cloud-services/chrome (2.3.1, 2.3.2)
@redhat-cloud-services/compliance-client (4.0.3, 4.0.4)
@redhat-cloud-services/config-manager-client (5.0.4, 5.0.5)
@redhat-cloud-services/entitlements-client (4.0.11, 4.0.12)
@redhat-cloud-services/eslint-config-redhat-cloud-services (3.2.1, 3.2.2)
@redhat-cloud-services/frontend-components (7.7.2, 7.7.3)
@redhat-cloud-services/frontend-components-advisor-components (3.8.2)
@redhat-cloud-services/frontend-components-config (6.11.3, 6.11.4)
@redhat-cloud-services/frontend-components-config-utilities (4.11.2, 4.11.3)
@redhat-cloud-services/frontend-components-notifications (6.9.2, 6.9.3)
@redhat-cloud-services/frontend-components-remediations (4.9.2, 4.9.3)
@redhat-cloud-services/frontend-components-testing (1.2.1, 1.2.2)
@redhat-cloud-services/frontend-components-translations (4.4.1, 4.4.2)
@redhat-cloud-services/frontend-components-utilities (7.4.1, 7.4.2)
@redhat-cloud-services/hcc-feo-mcp (0.3.1, 0.3.2)
@redhat-cloud-services/hcc-kessel-mcp (0.3.1, 0.3.2)
@redhat-cloud-services/hcc-pf-mcp (0.6.1, 0.6.2)
@redhat-cloud-services/host-inventory-client (5.0.3, 5.0.4)
@redhat-cloud-services/insights-client (4.0.4, 4.0.5)
@redhat-cloud-services/integrations-client (6.0.4, 6.0.5)
@redhat-cloud-services/javascript-clients-shared (2.0.8, 2.0.9)
@redhat-cloud-services/notifications-client (6.1.4, 6.1.5)
@redhat-cloud-services/patch-client (4.0.4, 4.0.5)
@redhat-cloud-services/quickstarts-client (4.0.11, 4.0.12)
@redhat-cloud-services/rbac-client (9.0.3, 9.0.4)
@redhat-cloud-services/remediations-client (4.0.4, 4.0.5)
@redhat-cloud-services/rule-components (4.7.2, 4.7.3)
@redhat-cloud-services/sources-client (3.0.10, 3.0.11)
@redhat-cloud-services/topological-inventory-client (3.0.10, 3.0.11)
@redhat-cloud-services/tsc-transform-imports (1.2.2)
@redhat-cloud-services/types (3.6.1, 3.6.2, 3.6.4)
@redhat-cloud-services/vulnerabilities-client (2.1.8, 2.1.9)

此内容由惯性聚合(RSS阅读器)自动聚合整理，仅供阅读参考。原文来自 — 版权归原作者所有。

推荐订阅源

Aikido Security's Blog

Timeline of the Mini Shai-Hulud campaign

Miasma: Is Shai-Hulud back?

Trusted publishing bypass

The preinstall script

What it steals

How Aikido detects this

‍Indicators of Compromise