Red Hat Confirms Supply Chain Compromise of @redhat-cloud-services npm Packages
Cybersecurity NewsArchived Jun 02, 2026✓ Full text saved
Red Hat has officially confirmed a supply chain compromise affecting multiple packages published under the @redhat-cloud-services npm namespace, disclosed publicly on June 1, 2026. A compromised GitHub account was used to inject malicious code into frontend libraries maintained within a Red Hat GitHub organization, raising significant concern across enterprise environments that depend on these packages […] The post Red Hat Confirms Supply Chain Compromise of @redhat-cloud-services npm Packages a
Full text archived locally
✦ AI Summary· Claude Sonnet
HomeCyber Security
Red Hat Confirms Supply Chain Compromise of @redhat-cloud-services npm Packages
By Guru Baran
June 2, 2026
Red Hat has officially confirmed a supply chain compromise affecting multiple packages published under the @redhat-cloud-services npm namespace, disclosed publicly on June 1, 2026.
A compromised GitHub account was used to inject malicious code into frontend libraries maintained within a Red Hat GitHub organization, raising significant concern across enterprise environments that depend on these packages during container image builds.
According to Red Hat’s security bulletin RHSB-2026-006, unauthorized commits were pushed to repositories within the RedHatInsights GitHub organization using a compromised developer account.
The affected packages are frontend libraries that get compiled and bundled into container images during the Red Hat product build process, making the attack vector particularly dangerous due to its deep integration into downstream build pipelines. Red Hat engineering acted swiftly by removing the compromised versions from npm following the initial disclosure.
Threat intelligence from OX Security reveals that the malware behind this supply chain compromise is the sophisticated Shai-Hulud infostealer, a campaign far more advanced than typical npm malware.
While conventional npm malware operates with one to three execution stages, Shai-Hulud deploys a six-stage payload delivery chain that loops back on itself in an endless execution cycle.
Attack Chain (Source: OX Research)
The attack begins with an obfuscated index.js payload that proceeds through decryption and decoding stages and ultimately drops 15 distinct payloads including memory dump tools, token monitors, Claude API hooks, and a GitHub-based payload dropper.
GitHub Used as an Adaptive C2 Server
One of the most alarming aspects of Shai-Hulud is its abuse of GitHub as a live Command-and-Control (C2) infrastructure. Rather than merely hosting exfiltrated data, the threat actor stores malicious code in GitHub repositories and uses commits tagged with the string “firedalazer” as a dynamic payload delivery mechanism.
This means that even after one account is blocked, another can seamlessly take over by pushing new commits, making the campaign highly resilient.
OX Security also identified two distinct variants of the malware identified by a subtle difference: the string “Miasma: The Spreading Blight” (no space after colon) in Stage 3, versus “Miasma : The Spreading Blight” (with space) in the Stage 6 alternate payload, a detail that can cause detection tools relying on exact string matching to miss infections.
Red Hat Product Security is actively conducting build system and dependency tracking analysis to confirm whether any product builds incorporated the compromised package versions.
Based on current findings, no customer action is required at this time, though the investigation remains ongoing. Organizations are advised to monitor for known Shai-Hulud IoCs, including the “firedalazer” commit string, Miasma-related strings, and the documented encryption keys and public key pairs published by OX Security.
Free Webinar on OWASP API Top 10 and Guide to Close Visibility Gaps With WAAP
Tags
cyber security
cyber security news
Copy URL
Linkedin
Twitter
ReddIt
Telegram
Guru Baranhttps://cybersecuritynews.com
Gurubaran KS is a cybersecurity analyst, and Journalist with a strong focus on emerging threats and digital defense strategies. He is the Co-Founder and Editor-in-Chief of Cyber Security News, where he leads editorial coverage on global cybersecurity developments.
Trending News
New DriveSurge Threat Actor Uses ClickFix and Fake Updates to Infect Website Visitors
Multiple Red Hat Cloud Services npm Packages Compromised to Deploy Credential-Stealing Malware
Windows Kernel Vulnerability Allows Attackers to Modify Kernel Memory Counters
Google Chrome’s Device-Bound Session Credentials Now GA to Block Account Takeovers
Hackers Abuse Trusted Google Domains to Hide Phishing Links From Email Gateways
Latest News
Press Release
Halo Security Honored with 2026 MSP Today Product of the Year Award
Cyber Security News
CISA Warns of Two-Year-Old Oracle WebLogic Server Vulnerability Exploited in Attacks
Cyber Security News
Critical KMW CCTV Vulnerability Let Attackers Gain Unauthorized Access to Camera Feeds
Cyber Security
Anthropic Expands Project Glasswing Claude Mythos Preview to 150 New Organizations
Cyber Security News
CISA Flags Palo Alto Networks PAN-OS Vulnerability as Exploited in Attacks