Attackers compromised the official Redhat cloud services npm namespace on June 1, 2026, injecting a sophisticated credential-harvesting worm into 95 package versions used by thousands of developers building Red Hat Insights and Hybrid Cloud Console applications. The payload fired automatically the moment anyone ran npm install — no import, no function call required.
The attack, documented independently by Socket and StepSecurity within hours of detection, traces back to a compromised CI/CD pipeline in the RedHatInsights/javascript-clients GitHub repository. Every malicious version was published through the project's own GitHub Actions OIDC workflow — a trusted automation token used to push real releases — meaning the packages carried legitimate provenance signatures that most security tools would not question.
What Made This Unusually Dangerous
The malicious index.js weighed 4.2 MB — dozens of times heavier than a normal library file — and buried its payload under four distinct obfuscation layers: ROT-21 character encoding, AES-128-GCM encryption, a custom base64 string table requiring 284 rotation cycles to decode, and a PBKDF2-based cipher with 200,000 iterations to prevent brute-forcing. The real payload only materialised in memory at runtime, making static package scanners largely blind to it.
Once triggered, the malware downloaded the Bun JavaScript runtime silently from GitHub, decrypted the main payload into a randomly named /tmp/p*.js file, executed it, and deleted the file — all before a developer could notice anything amiss. On developer workstations, it detached into a background process so credential harvesting continued after the install command finished.
The credential sweep was exhaustive: GitHub tokens, npm publish tokens, AWS access keys, Azure service principals, GCP application credentials, Kubernetes service account tokens, HashiCorp Vault tokens, SSH private keys, .npmrc, .pypirc, .netrc, Docker registry authentication, and even cryptocurrency wallet files were all targeted. On GitHub Actions runners, it went further — reading /proc/<pid>/mem to extract live secrets directly from the Runner.Worker process memory, including secrets masked in workflow logs that never touch disk.
Perhaps most alarming: the worm was self-propagating. Using any stolen npm token and the bypass_2fa publish parameter, it autonomously republished backdoored versions of other packages the victim account could publish to — even overriding two-factor authentication — seeding the next wave of infections without any attacker involvement.
For persistence on developer machines, the malware injected a SessionStart hook into ~/.claude/settings.json (Claude Code's configuration) and a folderOpen task into .vscode/tasks.json, ensuring attacker code ran on every IDE session even after node_modules was deleted.
Attribution and Scope
Socket linked the campaign's tactics — install-time execution, CI/CD targeting, encrypted exfiltration, and downstream propagation — to the Shai-Hulud attack framework, which the threat group TeamPCP open-sourced recently alongside a BreachForums contest rewarding package compromises. Because the tooling is now public, attribution to any single actor remains unclear.
What You Should Do Now
If your projects or CI pipelines installed any @redhat-cloud-services package between approximately 10:54 UTC and 15:25 UTC on June 1, treat the environment as compromised. Immediately rotate all credentials accessible to those jobs: GitHub tokens, npm tokens, cloud provider keys, Kubernetes tokens, and any secrets stored in environment variables or CI secret stores. Search lockfiles and build logs for the affected versions, inspect ~/.claude/settings.json and .vscode/tasks.json for injected hooks, and hunt for /tmp/p*.js and tmp.0987654321.lock artefacts. Do not rely on uninstalling the npm package — the persistence mechanisms survive it.