Red Hat npm packages backdoored via compromised CI/CD pipeline

Threat summary

On June 1, 2026, Red Hat reported a supply-chain attack affecting the company’s official Node Package Manager (npm) namespace, with malicious versions removed and clean releases published shortly after discovery.

On that same day, a threat actor published malicious versions of more than 30 packages under the @redhat-cloud-services namespace within a 72-second window, targeting components used across the Red Hat Hybrid Cloud Console ecosystem.

Affected packages included components such as vulnerabilities-client, sources-client, and rbac-client, which are used as dependencies in development and build environments. These packages have a large install base across developer environments and automated build systems.

The malicious packages contained a preinstall script that executed automatically during installation, allowing code execution before application code was reviewed or run. The payload harvested credentials from developer endpoints and continuous integration and continuous delivery (CI/CD) environments, including cloud credentials, tokens, and other secrets.

Threat actors leveraged access to a trusted publishing pipeline. By inserting a malicious GitHub Actions workflow, they generated short-lived OpenID Connect (OIDC) tokens and used npm trusted publishing to release backdoored packages that appeared legitimate. This approach bypassed common protections because the packages originated from an official namespace and used valid publishing mechanisms.

Each package included a modified package.json file that introduced a preinstall hook executing obfuscated code designed to collect credentials and reuse stolen tokens for further distribution.

The activity is associated with the Mini Shai-Hulud malware, also referred to as “Miasma,” which is a variant of the broader Shai-Hulud malware framework. Shai-Hulud defines the underlying worm capability, while Mini Shai-Hulud reflects the active generation used in recent campaigns to automate credential theft and package republishing at scale.

Attribution remains unclear because the underlying tooling has been publicly released, enabling multiple threat actors to replicate the attack.

Analysis

The trust model in modern software delivery assumes that packages published through verified pipelines are safe. This attack shows that threat actors can generate valid OIDC tokens and publish packages through trusted workflows, challenging the implicit trust placed in CI/CD pipelines and publishing models. Security controls assume the pipeline itself is trustworthy, so once it is compromised, those controls can validate attacker-generated activity and reduce common detection signals such as anomalous authentication or untrusted publishers.

In this scenario, threat actors do not need to steal long-lived credentials or impersonate a trusted publisher. They can instead use approved processes to distribute malicious code at scale. Automated tooling enables rapid publication of compromised packages within seconds, increasing exposure across dependent systems.

The public release of the underlying Shai-Hulud tooling has also lowered the barrier for entry, allowing multiple threat actors to replicate and adapt these techniques, which increases the likelihood that this type of activity becomes even more widespread.

Organizations are affected if they installed or built applications using impacted versions of @redhat-cloud-services packages on or after 10:54 UTC on June 1, 2026, when the first malicious versions were published, including a second publication wave at 13:45 UTC the same day. Exposure occurred during package installation or build time (for example, npm install in developer environments or CI/CD pipelines), as the malicious code executed at install time, not during normal application runtime.

The impact could include credential theft, unauthorized access to cloud services and repositories, and potential further compromise through reuse of stolen publishing credentials.

Review build logs and dependency trees for installation activity on June 1 to identify affected environments. Affected organizations should remove affected package versions and rebuild using verified clean releases. Reduce the risk even further by rotating credentials that were accessible from impacted systems, including cloud keys, tokens, and SSH credentials.

Defenders can also look for signs of malicious activity during investigation and monitoring. Suspicious indicators include:

• Unexpected script execution during npm install, such as pre-install or post-install hooks launching additional processes or running obfuscated JavaScript
• Activity that involves reading environment variables, credential files, or configuration data (such as .env, .npmrc, or CI/CD tokens) during installation
• Outbound network connections initiated during build processes, especially connections to external infrastructure or repositories used to transmit data
• Unauthorized or unexpected changes to CI/CD workflows or token usage

These behaviors occurring together during package installation or build execution indicate potential supply chain compromise.

Stay on top of emerging threats like this.

Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities. 

Sign up