The Shai-Hulud worm propagated through Red Hat's GitHub Actions OIDC after an initial employee workstation infection, enabling credential theft from downstream CI/CD pipelines; Socket and Aikido published IOC lists covering 40+ affected internal packages published Monday. Ars Technica documented TeamPCP's prior use of the same worm in a $1,000 competition and its spread beyond that group. Primary evidence shows OIDC temporary credentials bypassed standard secrets scanning, a vector also seen in the Trivy-to-Checkmarx chain where incomplete remediation allowed two follow-on breaches within weeks.

Synthesized data from Red Hat's post-incident statement and Socket reports indicate zero customer console.redhat.com exposure, yet the 36-hour window still permitted workstation and pipeline credential exfiltration at scale. This pattern repeats across 2024-2025 incidents where initial supply-chain footholds pivoted to cloud providers via OIDC rather than persistent keys. Mainstream coverage undercounts these secondary infections because most organizations lack telemetry to detect silent CI/CD token reuse.

Red Hat's internal-only claim aligns with Aikido telemetry showing no production system impact, yet the breach quantifies a systemic gap: open-source maintainers' machines remain the weakest link even when packages never reach public registries. Cross-referencing with Snyk's 2025 supply-chain dataset reveals Red Hat's incident as the fourth OIDC-mediated case in six months, each escalating attacker access to additional registries.