{"id":"MAL-2026-5134","summary":"Malicious code in @redhat-cloud-services/config-manager-client (npm)","details":"Part of the \"Mini Shai-Hulud\" supply chain worm campaign that compromised the GitHub Actions OIDC trusted publisher shared by Red Hat Cloud Services npm packages. The attacker injected a `preinstall` hook into this and 31 other packages in the `@redhat-cloud-services` scope. The hook delivers a three-layer obfuscated payload (ROT-9 Caesar cipher over a 1.27M-entry character-code array -\u003e AES-128-GCM decryption with hardcoded keys -\u003e stacked obfuscator.io encoding with PBKDF2+SHA-256 keystream S-box substitution) that downloads a pinned Bun runtime (v1.3.13) from GitHub to execute the worm outside the victim's Node installation.\n\n**Credential theft:** Harvests AWS credentials (IMDS, ECS, Secrets Manager, SSM), Azure managed identities, GCP service account tokens, HashiCorp Vault tokens, Kubernetes service account tokens (`/var/run/secrets/kubernetes.io/serviceaccount/token`), GitHub PATs, npm publish tokens, environment variables from ~40 CI platforms (CircleCI, Travis CI, Jenkins, and others), password manager stores (Bitwarden, gopass), and local files (`~/.npmrc`, `~/.netrc`, shell history, database history). Collected data is exfiltrated to attacker-controlled public GitHub repositories.\n\n**Privilege escalation:** Exploits Docker socket access to escape containers and modify `/etc/sudoers.d`, granting passwordless sudo to CI runner user accounts.\n\n**Self-propagation:** Uses stolen npm credentials to republish tampered tarballs of target packages. Injects a malicious CodeQL workflow into accessible GitHub repositories via the GraphQL `createCommitOnBranch` mutation, exchanges GitHub Actions OIDC tokens for npm publish tokens, and signs the resulting artifacts through Sigstore (Fulcio/Rekor) to appear legitimate.\n\n**Persistence and evasion:** Installs a daemon at `/tmp/kitty-\u003crandom\u003e`, hijacks `.claude/settings.json` for AI agent persistence, and hijacks `.vscode/tasks.json` for editor task execution. Detects sandbox environments via `__FAKE_PLATFORM__`, `TESTING_TAR_FAKE_PLATFORM__`, and `__IS_DAEMON` environment variables, and probes for EDR tools (CrowdStrike, SentinelOne, Carbon Black, StepSecurity Harden-Runner).","modified":"2026-06-02T01:16:38.924985646Z","published":"2026-06-01T00:00:00Z","database_specific":{"malicious-packages-origins":null},"references":[{"type":"REPORT","url":"https://safedep.io/redhat-cloud-services-hit-by-mini-shai-hulud-npm-worm/"}],"affected":[{"package":{"name":"@redhat-cloud-services/config-manager-client","ecosystem":"npm","purl":"pkg:npm/%40redhat-cloud-services%2Fconfig-manager-client"},"versions":["5.0.4","5.0.5","5.0.7"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@redhat-cloud-services/config-manager-client/MAL-2026-5134.json"}}],"schema_version":"1.7.5","credits":[{"name":"SafeDep","contact":["https://safedep.io"],"type":"FINDER"}]}