Red Hat npm packages hit by new Mini Shai-Hulud malware wave

More than 30 npm packages tied to Red Hat Cloud Services have been compromised in a sophisticated supply chain attack, with unknown attackers deploying malware designed to steal credentials from developers’ build environments. The incident raises serious concerns about the propagation of malicious code and the security of internal development pipelines.

The tainted packages were published on June 1, 2026, across two separate GitHub source repositories in two distinct time windows: first between 10:53 and 10:53:33 UTC, then again from 13:44 to 13:46:47 UTC. Researchers at Wiz Security confirmed that a specific Red Hat employee’s GitHub account was breached, allowing attackers to “push malicious orphan commits to two RedHatInsights repositories, bypassing code review.” How that account was initially compromised remains unclear.

At the heart of the attack is a preinstall lifecycle hook embedded in the malicious packages. According to Orca Security, this hook executes a 4.2 MB obfuscated JavaScript payload during the `npm install` process, well before any application code runs. The malware systematically searches for and exfiltrates a wide array of sensitive data, including AWS, GCP, and Azure keys and tokens, GitHub Actions tokens, HashiCorp Vault tokens, Kubernetes credentials and configuration files, SSH private keys, and npm and PyPI publish tokens.

This payload appears to be a new iteration of TeamPCP’s Mini Shai-Hulud malware, which was previously used in supply chain attacks and open-sourced by the group in May 2026. The new variant is particularly dangerous because it leverages npm’s `bypass_2fa` publish parameter to override two-factor authentication requirements. As StepSecurity researchers explained, “Using harvested npm authentication tokens, the payload attempts to publish new backdoored versions of packages the victim account has access to. This capability is available to automation tokens and is used here to make the worm self-propagating even against accounts with 2FA enabled. Each successfully infected machine can autonomously seed the next wave of compromised packages without any further attacker involvement.”

Wiz researchers noted that this variant also includes new data collectors targeting cloud identities and generates a uniquely encrypted payload for each infection. They added that “this variant creates repositories containing the description Miasma: The Spreading Blight.” It remains unknown whether the attack was directly orchestrated by TeamPCP or carried out by copycat attackers.

Red Hat responded quickly, removing most of the infected packages from the npm registry within two hours of their publication. The company emphasized that “the packages are strictly limited to internal development, and the malicious code was never published for customer consumption via the console.redhat.com system.” There is currently no evidence that the attack impacted customer or partner environments or Red Hat production systems.

Still, any developer or organization that installed one or more of the compromised package versions needs to act fast. Wiz researchers recommend a thorough damage control process: investigate developer workstations, CI/CD environments, and repositories for signs of compromise; audit systems for the affected packages, GitHub Actions, and VSCode extensions; review GitHub activity for unauthorized repositories, newly created access tokens, or suspicious workflow executions; and rotate all keys, credentials, and tokens that may have been accessed or harvested.

“Finally, organizations should strengthen software supply chain defenses by implementing dependency allowlisting, SBOM generation, package verification, and improved monitoring of developer and build environments,” they added.