Mini Shai-Hulud Campaign Hits Red Hat Cloud Services npm Packages

MITRE Techniques

• [T1059.007] JavaScript – The malicious package executes JavaScript during installation and runtime through node index.js and eval-based decryption (‘The package.json contains: “preinstall”:”node index.js” … This causes the malicious loader to execute automatically before installation completes.’).
• [T1204.002] User Execution: Malicious File – The payload runs when npm install triggers lifecycle scripts, requiring no direct user launch of the package (‘Executes index.js automatically during npm install.’).
• [T1027] Obfuscated Files or Information – The loader hides behavior using char-code arrays, ROT-style transforms, and encrypted blobs (‘Stage-one JavaScript obfuscation … AES-128-GCM encrypted blobs … Custom payload string encryption.’).
• [T1140] Deobfuscate/Decode Files or Information – The malware decodes and decrypts embedded content at runtime to reveal the helper and main payload (‘This decodes into an async wrapper … decrypts embedded payloads.’).
• [T1021.004] Remote Services: SSH – It targets SSH keys and related files for credential theft, enabling remote access (‘~/.ssh/id*’, ‘~/.ssh/id_rsa’, ‘~/.ssh/id_ed25519’).
• [T1552.001] Unsecured Credentials: Credentials In Files – It searches for sensitive files such as .npmrc, .netrc, cloud configs, and Git credentials (‘~/.aws/credentials’, ‘~/.npmrc’, ‘~/.git-credentials’).
• [T1552.004] Unsecured Credentials: Private Keys – It specifically seeks SSH private keys and similar secret material (‘~/.ssh/id_rsa’, ‘~/.ssh/id_ed25519’).
• [T1539] Steal Web Session Cookie – The payload collects GitHub and npm authentication tokens that can function as session-like access tokens (‘Collects GitHub Actions secrets, npm tokens … GitHub CLI token via gh auth token’).
• [T1611] Escape to Host – It attempts privileged execution on CI runners with sudo, expanding access on build hosts (‘Attempts privileged execution on CI runners.’).
• [T1053.003] Scheduled Task/Job: Cron – The malware does not use cron directly, so no confirmed technique is listed here.
• [T1053.005] Scheduled Task/Job: At – The daemonized background execution behaves like persistence but no explicit scheduled task is shown (‘Detaches into a background process on developer workstations.’).
• [T1132.001] Data Encoding: Standard Encoding – It base64-encodes encrypted envelopes and payload content before transmission (‘toString(“base64”)’).
• [T1041] Exfiltration Over C2 Channel – Stolen data is sent over HTTPS POST to an external endpoint (‘Sends encrypted collection results over HTTPS POST.’).
• [T1105] Ingress Tool Transfer – It downloads Bun from GitHub using curl and unzip to enable execution (‘Silently downloads an execution runtime during package install.’).
• [T1071.001] Application Layer Protocol: Web Protocols – Network communication occurs over HTTPS to API endpoints for exfiltration and fallback activity (‘https://api.anthropic.com:443/v1/api’, ‘https://api.github.com’).
• [T1505.003] Server Software Component: Web Shell – Not evidenced in the article, so no confirmed use is listed.
• [T1562.001] Impair Defenses: Disable or Modify Tools – It uses anti-analysis checks such as Russian locale avoidance and environment checks to reduce detection (‘Avoids execution or changes behavior on Russian-language systems.’).