MAL-2026-5134
Vulnerability from ossf_malicious_packages
Part of the "Mini Shai-Hulud" supply chain worm campaign that compromised the GitHub Actions OIDC trusted publisher shared by Red Hat Cloud Services npm packages. The attacker injected a preinstall hook into this and 31 other packages in the @redhat-cloud-services scope. The hook delivers a three-layer obfuscated payload (ROT-9 Caesar cipher over a 1.27M-entry character-code array -> AES-128-GCM decryption with hardcoded keys -> stacked obfuscator.io encoding with PBKDF2+SHA-256 keystream S-box substitution) that downloads a pinned Bun runtime (v1.3.13) from GitHub to execute the worm outside the victim's Node installation.
Credential theft: Harvests AWS credentials (IMDS, ECS, Secrets Manager, SSM), Azure managed identities, GCP service account tokens, HashiCorp Vault tokens, Kubernetes service account tokens (/var/run/secrets/kubernetes.io/serviceaccount/token), GitHub PATs, npm publish tokens, environment variables from ~40 CI platforms (CircleCI, Travis CI, Jenkins, and others), password manager stores (Bitwarden, gopass), and local files (~/.npmrc, ~/.netrc, shell history, database history). Collected data is exfiltrated to attacker-controlled public GitHub repositories.
Privilege escalation: Exploits Docker socket access to escape containers and modify /etc/sudoers.d, granting passwordless sudo to CI runner user accounts.
Self-propagation: Uses stolen npm credentials to republish tampered tarballs of target packages. Injects a malicious CodeQL workflow into accessible GitHub repositories via the GraphQL createCommitOnBranch mutation, exchanges GitHub Actions OIDC tokens for npm publish tokens, and signs the resulting artifacts through Sigstore (Fulcio/Rekor) to appear legitimate.
Persistence and evasion: Installs a daemon at /tmp/kitty-<random>, hijacks .claude/settings.json for AI agent persistence, and hijacks .vscode/tasks.json for editor task execution. Detects sandbox environments via __FAKE_PLATFORM__, TESTING_TAR_FAKE_PLATFORM__, and __IS_DAEMON environment variables, and probes for EDR tools (CrowdStrike, SentinelOne, Carbon Black, StepSecurity Harden-Runner).
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "@redhat-cloud-services/config-manager-client"
},
"versions": [
"5.0.4",
"5.0.5",
"5.0.7"
]
}
],
"credits": [
{
"contact": [
"https://safedep.io"
],
"name": "SafeDep",
"type": "FINDER"
}
],
"database_specific": {
"malicious-packages-origins": null
},
"details": "Part of the \"Mini Shai-Hulud\" supply chain worm campaign that compromised the GitHub Actions OIDC trusted publisher shared by Red Hat Cloud Services npm packages. The attacker injected a `preinstall` hook into this and 31 other packages in the `@redhat-cloud-services` scope. The hook delivers a three-layer obfuscated payload (ROT-9 Caesar cipher over a 1.27M-entry character-code array -\u003e AES-128-GCM decryption with hardcoded keys -\u003e stacked obfuscator.io encoding with PBKDF2+SHA-256 keystream S-box substitution) that downloads a pinned Bun runtime (v1.3.13) from GitHub to execute the worm outside the victim\u0027s Node installation.\n\n**Credential theft:** Harvests AWS credentials (IMDS, ECS, Secrets Manager, SSM), Azure managed identities, GCP service account tokens, HashiCorp Vault tokens, Kubernetes service account tokens (`/var/run/secrets/kubernetes.io/serviceaccount/token`), GitHub PATs, npm publish tokens, environment variables from ~40 CI platforms (CircleCI, Travis CI, Jenkins, and others), password manager stores (Bitwarden, gopass), and local files (`~/.npmrc`, `~/.netrc`, shell history, database history). Collected data is exfiltrated to attacker-controlled public GitHub repositories.\n\n**Privilege escalation:** Exploits Docker socket access to escape containers and modify `/etc/sudoers.d`, granting passwordless sudo to CI runner user accounts.\n\n**Self-propagation:** Uses stolen npm credentials to republish tampered tarballs of target packages. Injects a malicious CodeQL workflow into accessible GitHub repositories via the GraphQL `createCommitOnBranch` mutation, exchanges GitHub Actions OIDC tokens for npm publish tokens, and signs the resulting artifacts through Sigstore (Fulcio/Rekor) to appear legitimate.\n\n**Persistence and evasion:** Installs a daemon at `/tmp/kitty-\u003crandom\u003e`, hijacks `.claude/settings.json` for AI agent persistence, and hijacks `.vscode/tasks.json` for editor task execution. Detects sandbox environments via `__FAKE_PLATFORM__`, `TESTING_TAR_FAKE_PLATFORM__`, and `__IS_DAEMON` environment variables, and probes for EDR tools (CrowdStrike, SentinelOne, Carbon Black, StepSecurity Harden-Runner).",
"id": "MAL-2026-5134",
"modified": "2026-06-01T00:00:00Z",
"published": "2026-06-01T00:00:00Z",
"references": [
{
"type": "REPORT",
"url": "https://safedep.io/redhat-cloud-services-hit-by-mini-shai-hulud-npm-worm/"
}
],
"schema_version": "1.7.4",
"summary": "Malicious code in @redhat-cloud-services/config-manager-client (npm)"
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.