Part of the "Mini Shai-Hulud" supply chain worm campaign that compromised the GitHub Actions OIDC trusted publisher shared by Red Hat Cloud Services npm packages. The attacker injected a preinstall hook into this and 31 other packages in the @redhat-cloud-services scope. The hook delivers a three-layer obfuscated payload (ROT-9 Caesar cipher over a 1.27M-entry character-code array -> AES-128-GCM decryption with hardcoded keys -> stacked obfuscator.io encoding with PBKDF2+SHA-256 keystream S-box substitution) that downloads a pinned Bun runtime (v1.3.13) from GitHub to execute the worm outside the victim's Node installation.

Credential theft: Harvests AWS credentials (IMDS, ECS, Secrets Manager, SSM), Azure managed identities, GCP service account tokens, HashiCorp Vault tokens, Kubernetes service account tokens (/var/run/secrets/kubernetes.io/serviceaccount/token), GitHub PATs, npm publish tokens, environment variables from ~40 CI platforms (CircleCI, Travis CI, Jenkins, and others), password manager stores (Bitwarden, gopass), and local files (~/.npmrc, ~/.netrc, shell history, database history). Collected data is exfiltrated to attacker-controlled public GitHub repositories.

Privilege escalation: Exploits Docker socket access to escape containers and modify /etc/sudoers.d, granting passwordless sudo to CI runner user accounts.

Self-propagation: Uses stolen npm credentials to republish tampered tarballs of target packages. Injects a malicious CodeQL workflow into accessible GitHub repositories via the GraphQL createCommitOnBranch mutation, exchanges GitHub Actions OIDC tokens for npm publish tokens, and signs the resulting artifacts through Sigstore (Fulcio/Rekor) to appear legitimate.

Persistence and evasion: Installs a daemon at /tmp/kitty-<random>, hijacks .claude/settings.json for AI agent persistence, and hijacks .vscode/tasks.json for editor task execution. Detects sandbox environments via __FAKE_PLATFORM__, TESTING_TAR_FAKE_PLATFORM__, and __IS_DAEMON environment variables, and probes for EDR tools (CrowdStrike, SentinelOne, Carbon Black, StepSecurity Harden-Runner).