Red Hat has confirmed a serious supply chain compromise involving multiple packages in the @redhat-cloud-services npm namespace. The breach was publicly disclosed on June 1, 2026, after a GitHub account was compromised to inject malicious code into several frontend libraries. These libraries are essential in Red Hat's container image build process, raising significant concerns among enterprises relying on these packages. The attack exploited unauthorized commits pushed to repositories within the RedHatInsights GitHub organization. This breach is particularly dangerous due to the deep integration of these libraries in downstream build pipelines.

Red Hat moved quickly to mitigate the issue by removing the compromised package versions from npm. The malicious code is attributed to the Shai-Hulud infostealer, identified by OX Security as more sophisticated than typical npm malware. Unlike conventional threats that involve one to three execution stages, Shai-Hulud operates through a six-stage payload delivery chain that perpetuates itself in an endless loop. The attack begins with an obfuscated index.js payload, leading to decryption and decoding stages, and ultimately drops 15 distinct payloads. These payloads include memory dump tools, token monitors, and Claude API hooks, with GitHub being misused as a live Command-and-Control infrastructure.

One of the most worrying aspects of this attack is its resilience. The threat actor uses GitHub repositories to store malicious code, employing commits tagged with 'firedalazer' to deliver payloads dynamically. This setup allows the campaign to continue even if individual accounts are blocked. OX Security has identified two variants of the malware, differentiated by a subtle string variation in the payload, which could challenge detection tools relying on exact string matching.

Red Hat's Product Security team is conducting an in-depth analysis of their build systems and dependencies. As of now, no customer action is required, but organizations are encouraged to monitor for known indicators of compromise related to Shai-Hulud. This includes the 'firedalazer' commit string and specific Miasma-related strings. The investigation is ongoing, and Red Hat is committed to ensuring the security of its products.