shai hulud2 articles
Red Hat npm Packages Backdoored in Supply Chain Attack Stealing Cloud Credentials
Over 30 npm packages under Red Hat's '@redhat-cloud-services' namespace were backdoored in a supply-chain attack, after attackers compromised a Red Hat employee's GitHub account and used it to publish malicious package versions containing credential-stealing malware. The malware, dubbed "Miasma," is a variant of the Shai-Hulud framework and was designed to steal a wide range of sensitive data including cloud credentials, SSH keys, CI/CD tokens, and environment files from developers who installed the affected packages. Red Hat removed the compromised packages and stated that they were limited to internal development tooling with no confirmed impact on customer environments, though the investigation remains ongoing.
Another npm Account Hijacked, 314 Packages Poisoned in Under Half an Hour
A compromised npm account infected 314 JavaScript packages — including popular ones like size-sensor and echarts-for-react with millions of monthly downloads — with malware that steals credentials for cloud platforms, GitHub, and npm, and uses GitHub as a command-and-control backdoor. The attack, which unfolded in just 22 minutes, follows the same pattern as a similar incident three weeks ago and is part of an ongoing wave of npm supply chain attacks dubbed "Shai-Hulud." Developers who installed affected versions are advised to rotate all credentials, while npm owner GitHub has said little about the continuing series of incidents.