Mini Shai-Hulud Campaign Hits Red Hat Cloud Services npm Packages

Socket discovered a malicious npm supply-chain campaign in packages published under the @redhat-cloud-services namespace that use a preinstall lifecycle hook to execute an obfuscated loader (index.js). The loader AES‑GCM decrypts staged payloads, writes a randomized /tmp/p*.js file, optionally downloads and runs Bun, daemonizes on developer hosts, and collects a broad set of secrets (GitHub CLI tokens, npm tokens, cloud credentials, SSH keys, Kubernetes/Vault material and CI runner memory). Exfiltration is performed via encrypted HTTPS envelopes (decoded destination: api.anthropic.com:443/v1/api) with a GitHub-API fallback that can commit encrypted results to repositories (unique marker: "IfYouInvalidateThisTokenItWillNukeTheComputerOfTheOwner"). The report includes IoCs (network endpoints, file patterns, token regexes), SHA-256 hashes for affected artifacts, detection opportunities, and comprehensive remediation guidance including credential rotation, cache cleaning, artifact invalidation, and CI/CD hardening.