CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership Jun 02, 2026

Red Hat Confirms Supply Chain Compromise of @redhat-cloud-services npm Packages

Cybersecurity News Archived Jun 02, 2026 ✓ Full text saved

Red Hat has officially confirmed a supply chain compromise affecting multiple packages published under the @redhat-cloud-services npm namespace, disclosed publicly on June 1, 2026. A compromised GitHub account was used to inject malicious code into frontend libraries maintained within a Red Hat GitHub organization, raising significant concern across enterprise environments that depend on these packages […] The post Red Hat Confirms Supply Chain Compromise of @redhat-cloud-services npm Packages a

Full text archived locally
✦ AI Summary · Claude Sonnet


    HomeCyber Security Red Hat Confirms Supply Chain Compromise of @redhat-cloud-services npm Packages By Guru Baran June 2, 2026 Red Hat has officially confirmed a supply chain compromise affecting multiple packages published under the @redhat-cloud-services npm namespace, disclosed publicly on June 1, 2026. A compromised GitHub account was used to inject malicious code into frontend libraries maintained within a Red Hat GitHub organization, raising significant concern across enterprise environments that depend on these packages during container image builds. According to Red Hat’s security bulletin RHSB-2026-006, unauthorized commits were pushed to repositories within the RedHatInsights GitHub organization using a compromised developer account. The affected packages are frontend libraries that get compiled and bundled into container images during the Red Hat product build process, making the attack vector particularly dangerous due to its deep integration into downstream build pipelines. Red Hat engineering acted swiftly by removing the compromised versions from npm following the initial disclosure. Threat intelligence from OX Security reveals that the malware behind this supply chain compromise is the sophisticated Shai-Hulud infostealer, a campaign far more advanced than typical npm malware. While conventional npm malware operates with one to three execution stages, Shai-Hulud deploys a six-stage payload delivery chain that loops back on itself in an endless execution cycle. Attack Chain (Source: OX Research) The attack begins with an obfuscated index.js payload that proceeds through decryption and decoding stages and ultimately drops 15 distinct payloads including memory dump tools, token monitors, Claude API hooks, and a GitHub-based payload dropper. GitHub Used as an Adaptive C2 Server One of the most alarming aspects of Shai-Hulud is its abuse of GitHub as a live Command-and-Control (C2) infrastructure. Rather than merely hosting exfiltrated data, the threat actor stores malicious code in GitHub repositories and uses commits tagged with the string “firedalazer” as a dynamic payload delivery mechanism. This means that even after one account is blocked, another can seamlessly take over by pushing new commits, making the campaign highly resilient. OX Security also identified two distinct variants of the malware identified by a subtle difference: the string “Miasma: The Spreading Blight” (no space after colon) in Stage 3, versus “Miasma : The Spreading Blight” (with space) in the Stage 6 alternate payload, a detail that can cause detection tools relying on exact string matching to miss infections. Red Hat Product Security is actively conducting build system and dependency tracking analysis to confirm whether any product builds incorporated the compromised package versions. Based on current findings, no customer action is required at this time, though the investigation remains ongoing. Organizations are advised to monitor for known Shai-Hulud IoCs, including the “firedalazer” commit string, Miasma-related strings, and the documented encryption keys and public key pairs published by OX Security. Free Webinar on OWASP API Top 10 and Guide to Close Visibility Gaps With WAAP Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Guru Baranhttps://cybersecuritynews.com Gurubaran KS is a cybersecurity analyst, and Journalist with a strong focus on emerging threats and digital defense strategies. He is the Co-Founder and Editor-in-Chief of Cyber Security News, where he leads editorial coverage on global cybersecurity developments. Trending News New DriveSurge Threat Actor Uses ClickFix and Fake Updates to Infect Website Visitors Multiple Red Hat Cloud Services npm Packages Compromised to Deploy Credential-Stealing Malware Windows Kernel Vulnerability Allows Attackers to Modify Kernel Memory Counters Google Chrome’s Device-Bound Session Credentials Now GA to Block Account Takeovers Hackers Abuse Trusted Google Domains to Hide Phishing Links From Email Gateways Latest News Press Release Halo Security Honored with 2026 MSP Today Product of the Year Award Cyber Security News CISA Warns of Two-Year-Old Oracle WebLogic Server Vulnerability Exploited in Attacks Cyber Security News Critical KMW CCTV Vulnerability Let Attackers Gain Unauthorized Access to Camera Feeds Cyber Security Anthropic Expands Project Glasswing Claude Mythos Preview to 150 New Organizations Cyber Security News CISA Flags Palo Alto Networks PAN-OS Vulnerability as Exploited in Attacks
    💬 Team Notes
    Article Info
    Source
    Cybersecurity News
    Category
    ◇ Industry News & Leadership
    Published
    Jun 02, 2026
    Archived
    Jun 02, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗