GHSA-6XWP-CP5H-Q856
Vulnerability from github – Published: 2026-05-19 20:28 – Updated: 2026-05-19 20:28Summary
Between 2026-05-11 20:19 UTC and 22:56 UTC, an attacker used a compromised npm publish token to publish 18 malicious versions of @beproduct/nestjs-auth (0.1.2 through 0.1.19). The packages contained payloads from the Mini Shai-Hulud npm supply-chain worm campaign described by Aikido Security.
npm Security removed the malicious versions from the registry shortly after publication, but anyone who ran npm install @beproduct/nestjs-auth resolving to any version in the affected range during that window executed the malicious postinstall script and is potentially compromised.
Version 0.1.20 is a clean republish from the original 0.1.1 source tree.
Impact
The postinstall payload attempted to harvest:
- npm tokens (from
~/.npmrc) - GitHub personal access tokens, OAuth tokens (
gho_*), and Actions OIDC tokens - AWS credentials (from environment variables and
~/.aws/credentials) - HashiCorp Vault tokens
- Other secrets present in environment variables
Exfiltration target: https://filev2.getsession.org. The worm also wrote persistence artefacts (tanstack_runner.js, router_init.js, setup.mjs, plus IDE-hook configurations in .claude/ and .vscode/) into the developer's working tree where the malicious install ran.
Indicators of compromise
| Type | Value |
|---|---|
| File name (payload) | tanstack_runner.js, router_init.js, router_runtime.js |
| SHA-256 (tanstack_runner.js) | 2ec78d556d696e208927cc503d48e4b5eb56b31abc2870c2ed2e98d6be27fc96 |
| SHA-256 (router_init.js) | ab4fcadaec49c03278063dd269ea5eef82d24f2124a8e15d7b90f2fa8601266c |
| Exfil endpoint | filev2.getsession.org |
| Cloud metadata probe | 169.254.169.254/latest/meta-data/iam/security-credentials/ |
| npm token endpoint | registry.npmjs.org/-/npm/v1/tokens |
| Vault probe | vault.svc.cluster.local:8200 |
| IDE hook pattern | .claude/settings.json SessionStart hook + .vscode/tasks.json runOn: "folderOpen" running node .claude/setup.mjs or node .vscode/setup.mjs |
Mitigation
If you installed any version in the range >=0.1.2 <=0.1.19:
- Remove the package and clean the npm cache:
bash npm uninstall @beproduct/nestjs-auth npm cache clean --force - Install the clean version:
bash npm install @beproduct/nestjs-auth@0.1.20 - Rotate every credential present in the install environment, including:
- All npm publish tokens (
https://www.npmjs.com/settings/<you>/tokens) - All GitHub PATs and OAuth tokens (
https://github.com/settings/applications+https://github.com/settings/tokens) - AWS access keys
- HashiCorp Vault tokens
- Any other secret that was in env vars or config files at install time
- Scan affected hosts for the indicators of compromise above. If any are found, treat the host as compromised and reimage.
- Check committed repository history for unexpected additions in
.claude/or.vscode/directories — the worm is known to commitsetup.mjs+ hook configs to PR branches via automated agent runtimes.
Timeline (UTC)
| Time | Event |
|---|---|
| 2026-05-11 20:19:43 | First malicious version (0.1.2) published |
| 2026-05-11 22:56:39 | Final malicious version (0.1.19) published — 18 versions in 2h37m |
| 2026-05-12 ~14:12 | npm Security removes the malicious versions from the registry |
| 2026-05-13 | BeProduct discovers the incident via Aikido's public disclosure |
| 2026-05-14 | Compromised npm publish token revoked; BeProduct GitHub OAuth credentials rotated |
| 2026-05-14 | Clean release 0.1.20 published; this advisory filed |
Root cause
The compromised npm publish token was harvested by a Mini-Shai-Hulud-infected transitive dependency in an automated GitHub coding-agent runtime that had read access to the NPM_TOKEN GitHub Actions secret for an unrelated repository under the same npm publisher account. The publish itself was performed by the attacker against the public npm registry; the source repository for this package was not modified by the attacker.
References
- https://www.aikido.dev/blog/mini-shai-hulud-is-back-tanstack-compromised
- https://www.aikido.dev/blog/checklist-github-actions ```
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "@beproduct/nestjs-auth"
},
"ranges": [
{
"events": [
{
"introduced": "0.1.2"
},
{
"last_affected": "0.1.19"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-46412"
],
"database_specific": {
"cwe_ids": [
"CWE-506"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-19T20:28:07Z",
"nvd_published_at": null,
"severity": "CRITICAL"
},
"details": "## Summary\n\nBetween 2026-05-11 20:19 UTC and 22:56 UTC, an attacker used a compromised npm publish token to publish 18 malicious versions of `@beproduct/nestjs-auth` (0.1.2 through 0.1.19). The packages contained payloads from the **Mini Shai-Hulud** npm supply-chain worm campaign described by [Aikido Security](https://www.aikido.dev/blog/mini-shai-hulud-is-back-tanstack-compromised).\n\nnpm Security removed the malicious versions from the registry shortly after publication, but anyone who ran `npm install @beproduct/nestjs-auth` resolving to any version in the affected range during that window executed the malicious postinstall script and is potentially compromised.\n\nVersion `0.1.20` is a clean republish from the original `0.1.1` source tree.\n\n## Impact\n\nThe postinstall payload attempted to harvest:\n\n- npm tokens (from `~/.npmrc`)\n- GitHub personal access tokens, OAuth tokens (`gho_*`), and Actions OIDC tokens\n- AWS credentials (from environment variables and `~/.aws/credentials`)\n- HashiCorp Vault tokens\n- Other secrets present in environment variables\n\nExfiltration target: `https://filev2.getsession.org`. The worm also wrote persistence artefacts (`tanstack_runner.js`, `router_init.js`, `setup.mjs`, plus IDE-hook configurations in `.claude/` and `.vscode/`) into the developer\u0027s working tree where the malicious install ran.\n\n## Indicators of compromise\n\n| Type | Value |\n|---|---|\n| File name (payload) | `tanstack_runner.js`, `router_init.js`, `router_runtime.js` |\n| SHA-256 (tanstack_runner.js) | `2ec78d556d696e208927cc503d48e4b5eb56b31abc2870c2ed2e98d6be27fc96` |\n| SHA-256 (router_init.js) | `ab4fcadaec49c03278063dd269ea5eef82d24f2124a8e15d7b90f2fa8601266c` |\n| Exfil endpoint | `filev2.getsession.org` |\n| Cloud metadata probe | `169.254.169.254/latest/meta-data/iam/security-credentials/` |\n| npm token endpoint | `registry.npmjs.org/-/npm/v1/tokens` |\n| Vault probe | `vault.svc.cluster.local:8200` |\n| IDE hook pattern | `.claude/settings.json` `SessionStart` hook + `.vscode/tasks.json` `runOn: \"folderOpen\"` running `node .claude/setup.mjs` or `node .vscode/setup.mjs` |\n\n## Mitigation\n\nIf you installed any version in the range `\u003e=0.1.2 \u003c=0.1.19`:\n\n1. **Remove the package and clean the npm cache:**\n ```bash\n npm uninstall @beproduct/nestjs-auth\n npm cache clean --force\n ```\n2. **Install the clean version:**\n ```bash\n npm install @beproduct/nestjs-auth@0.1.20\n ```\n3. **Rotate every credential present in the install environment**, including:\n - All npm publish tokens (`https://www.npmjs.com/settings/\u003cyou\u003e/tokens`)\n - All GitHub PATs and OAuth tokens (`https://github.com/settings/applications` + `https://github.com/settings/tokens`)\n - AWS access keys\n - HashiCorp Vault tokens\n - Any other secret that was in env vars or config files at install time\n4. **Scan affected hosts** for the indicators of compromise above. If any are found, treat the host as compromised and reimage.\n5. **Check committed repository history** for unexpected additions in `.claude/` or `.vscode/` directories \u2014 the worm is known to commit `setup.mjs` + hook configs to PR branches via automated agent runtimes.\n\n## Timeline (UTC)\n\n| Time | Event |\n|---|---|\n| 2026-05-11 20:19:43 | First malicious version (`0.1.2`) published |\n| 2026-05-11 22:56:39 | Final malicious version (`0.1.19`) published \u2014 18 versions in 2h37m |\n| 2026-05-12 ~14:12 | npm Security removes the malicious versions from the registry |\n| 2026-05-13 | BeProduct discovers the incident via Aikido\u0027s public disclosure |\n| 2026-05-14 | Compromised npm publish token revoked; BeProduct GitHub OAuth credentials rotated |\n| 2026-05-14 | Clean release `0.1.20` published; this advisory filed |\n\n## Root cause\n\nThe compromised npm publish token was harvested by a Mini-Shai-Hulud-infected transitive dependency in an automated GitHub coding-agent runtime that had read access to the `NPM_TOKEN` GitHub Actions secret for an unrelated repository under the same npm publisher account. The publish itself was performed by the attacker against the public npm registry; the source repository for this package was not modified by the attacker.\n\n## References\n\n- https://www.aikido.dev/blog/mini-shai-hulud-is-back-tanstack-compromised\n- https://www.aikido.dev/blog/checklist-github-actions\n```",
"id": "GHSA-6xwp-cp5h-q856",
"modified": "2026-05-19T20:28:07Z",
"published": "2026-05-19T20:28:07Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/BeProduct/beproduct-org-nestjs-auth/security/advisories/GHSA-6xwp-cp5h-q856"
},
{
"type": "PACKAGE",
"url": "https://github.com/BeProduct/beproduct-org-nestjs-auth"
},
{
"type": "WEB",
"url": "https://www.aikido.dev/blog/checklist-github-actions"
},
{
"type": "WEB",
"url": "https://www.aikido.dev/blog/mini-shai-hulud-is-back-tanstack-compromised"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Malicious code in @beproduct/nestjs-auth (0.1.2 through 0.1.19) \u2014 Mini Shai-Hulud worm"
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.