GHSA-6XWP-CP5H-Q856

Vulnerability from github – Published: 2026-05-19 20:28 – Updated: 2026-05-19 20:28
VLAI
Summary
Malicious code in @beproduct/nestjs-auth (0.1.2 through 0.1.19) — Mini Shai-Hulud worm
Details

Summary

Between 2026-05-11 20:19 UTC and 22:56 UTC, an attacker used a compromised npm publish token to publish 18 malicious versions of @beproduct/nestjs-auth (0.1.2 through 0.1.19). The packages contained payloads from the Mini Shai-Hulud npm supply-chain worm campaign described by Aikido Security.

npm Security removed the malicious versions from the registry shortly after publication, but anyone who ran npm install @beproduct/nestjs-auth resolving to any version in the affected range during that window executed the malicious postinstall script and is potentially compromised.

Version 0.1.20 is a clean republish from the original 0.1.1 source tree.

Impact

The postinstall payload attempted to harvest:

  • npm tokens (from ~/.npmrc)
  • GitHub personal access tokens, OAuth tokens (gho_*), and Actions OIDC tokens
  • AWS credentials (from environment variables and ~/.aws/credentials)
  • HashiCorp Vault tokens
  • Other secrets present in environment variables

Exfiltration target: https://filev2.getsession.org. The worm also wrote persistence artefacts (tanstack_runner.js, router_init.js, setup.mjs, plus IDE-hook configurations in .claude/ and .vscode/) into the developer's working tree where the malicious install ran.

Indicators of compromise

Type Value
File name (payload) tanstack_runner.js, router_init.js, router_runtime.js
SHA-256 (tanstack_runner.js) 2ec78d556d696e208927cc503d48e4b5eb56b31abc2870c2ed2e98d6be27fc96
SHA-256 (router_init.js) ab4fcadaec49c03278063dd269ea5eef82d24f2124a8e15d7b90f2fa8601266c
Exfil endpoint filev2.getsession.org
Cloud metadata probe 169.254.169.254/latest/meta-data/iam/security-credentials/
npm token endpoint registry.npmjs.org/-/npm/v1/tokens
Vault probe vault.svc.cluster.local:8200
IDE hook pattern .claude/settings.json SessionStart hook + .vscode/tasks.json runOn: "folderOpen" running node .claude/setup.mjs or node .vscode/setup.mjs

Mitigation

If you installed any version in the range >=0.1.2 <=0.1.19:

  1. Remove the package and clean the npm cache: bash npm uninstall @beproduct/nestjs-auth npm cache clean --force
  2. Install the clean version: bash npm install @beproduct/nestjs-auth@0.1.20
  3. Rotate every credential present in the install environment, including:
  4. All npm publish tokens (https://www.npmjs.com/settings/<you>/tokens)
  5. All GitHub PATs and OAuth tokens (https://github.com/settings/applications + https://github.com/settings/tokens)
  6. AWS access keys
  7. HashiCorp Vault tokens
  8. Any other secret that was in env vars or config files at install time
  9. Scan affected hosts for the indicators of compromise above. If any are found, treat the host as compromised and reimage.
  10. Check committed repository history for unexpected additions in .claude/ or .vscode/ directories — the worm is known to commit setup.mjs + hook configs to PR branches via automated agent runtimes.

Timeline (UTC)

Time Event
2026-05-11 20:19:43 First malicious version (0.1.2) published
2026-05-11 22:56:39 Final malicious version (0.1.19) published — 18 versions in 2h37m
2026-05-12 ~14:12 npm Security removes the malicious versions from the registry
2026-05-13 BeProduct discovers the incident via Aikido's public disclosure
2026-05-14 Compromised npm publish token revoked; BeProduct GitHub OAuth credentials rotated
2026-05-14 Clean release 0.1.20 published; this advisory filed

Root cause

The compromised npm publish token was harvested by a Mini-Shai-Hulud-infected transitive dependency in an automated GitHub coding-agent runtime that had read access to the NPM_TOKEN GitHub Actions secret for an unrelated repository under the same npm publisher account. The publish itself was performed by the attacker against the public npm registry; the source repository for this package was not modified by the attacker.

References

  • https://www.aikido.dev/blog/mini-shai-hulud-is-back-tanstack-compromised
  • https://www.aikido.dev/blog/checklist-github-actions ```
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "@beproduct/nestjs-auth"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.1.2"
            },
            {
              "last_affected": "0.1.19"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-46412"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-506"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-19T20:28:07Z",
    "nvd_published_at": null,
    "severity": "CRITICAL"
  },
  "details": "## Summary\n\nBetween 2026-05-11 20:19 UTC and 22:56 UTC, an attacker used a compromised npm publish token to publish 18 malicious versions of `@beproduct/nestjs-auth` (0.1.2 through 0.1.19). The packages contained payloads from the **Mini Shai-Hulud** npm supply-chain worm campaign described by [Aikido Security](https://www.aikido.dev/blog/mini-shai-hulud-is-back-tanstack-compromised).\n\nnpm Security removed the malicious versions from the registry shortly after publication, but anyone who ran `npm install @beproduct/nestjs-auth` resolving to any version in the affected range during that window executed the malicious postinstall script and is potentially compromised.\n\nVersion `0.1.20` is a clean republish from the original `0.1.1` source tree.\n\n## Impact\n\nThe postinstall payload attempted to harvest:\n\n- npm tokens (from `~/.npmrc`)\n- GitHub personal access tokens, OAuth tokens (`gho_*`), and Actions OIDC tokens\n- AWS credentials (from environment variables and `~/.aws/credentials`)\n- HashiCorp Vault tokens\n- Other secrets present in environment variables\n\nExfiltration target: `https://filev2.getsession.org`. The worm also wrote persistence artefacts (`tanstack_runner.js`, `router_init.js`, `setup.mjs`, plus IDE-hook configurations in `.claude/` and `.vscode/`) into the developer\u0027s working tree where the malicious install ran.\n\n## Indicators of compromise\n\n| Type | Value |\n|---|---|\n| File name (payload) | `tanstack_runner.js`, `router_init.js`, `router_runtime.js` |\n| SHA-256 (tanstack_runner.js) | `2ec78d556d696e208927cc503d48e4b5eb56b31abc2870c2ed2e98d6be27fc96` |\n| SHA-256 (router_init.js) | `ab4fcadaec49c03278063dd269ea5eef82d24f2124a8e15d7b90f2fa8601266c` |\n| Exfil endpoint | `filev2.getsession.org` |\n| Cloud metadata probe | `169.254.169.254/latest/meta-data/iam/security-credentials/` |\n| npm token endpoint | `registry.npmjs.org/-/npm/v1/tokens` |\n| Vault probe | `vault.svc.cluster.local:8200` |\n| IDE hook pattern | `.claude/settings.json` `SessionStart` hook + `.vscode/tasks.json` `runOn: \"folderOpen\"` running `node .claude/setup.mjs` or `node .vscode/setup.mjs` |\n\n## Mitigation\n\nIf you installed any version in the range `\u003e=0.1.2 \u003c=0.1.19`:\n\n1. **Remove the package and clean the npm cache:**\n   ```bash\n   npm uninstall @beproduct/nestjs-auth\n   npm cache clean --force\n   ```\n2. **Install the clean version:**\n   ```bash\n   npm install @beproduct/nestjs-auth@0.1.20\n   ```\n3. **Rotate every credential present in the install environment**, including:\n   - All npm publish tokens (`https://www.npmjs.com/settings/\u003cyou\u003e/tokens`)\n   - All GitHub PATs and OAuth tokens (`https://github.com/settings/applications` + `https://github.com/settings/tokens`)\n   - AWS access keys\n   - HashiCorp Vault tokens\n   - Any other secret that was in env vars or config files at install time\n4. **Scan affected hosts** for the indicators of compromise above. If any are found, treat the host as compromised and reimage.\n5. **Check committed repository history** for unexpected additions in `.claude/` or `.vscode/` directories \u2014 the worm is known to commit `setup.mjs` + hook configs to PR branches via automated agent runtimes.\n\n## Timeline (UTC)\n\n| Time | Event |\n|---|---|\n| 2026-05-11 20:19:43 | First malicious version (`0.1.2`) published |\n| 2026-05-11 22:56:39 | Final malicious version (`0.1.19`) published \u2014 18 versions in 2h37m |\n| 2026-05-12 ~14:12 | npm Security removes the malicious versions from the registry |\n| 2026-05-13 | BeProduct discovers the incident via Aikido\u0027s public disclosure |\n| 2026-05-14 | Compromised npm publish token revoked; BeProduct GitHub OAuth credentials rotated |\n| 2026-05-14 | Clean release `0.1.20` published; this advisory filed |\n\n## Root cause\n\nThe compromised npm publish token was harvested by a Mini-Shai-Hulud-infected transitive dependency in an automated GitHub coding-agent runtime that had read access to the `NPM_TOKEN` GitHub Actions secret for an unrelated repository under the same npm publisher account. The publish itself was performed by the attacker against the public npm registry; the source repository for this package was not modified by the attacker.\n\n## References\n\n- https://www.aikido.dev/blog/mini-shai-hulud-is-back-tanstack-compromised\n- https://www.aikido.dev/blog/checklist-github-actions\n```",
  "id": "GHSA-6xwp-cp5h-q856",
  "modified": "2026-05-19T20:28:07Z",
  "published": "2026-05-19T20:28:07Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/BeProduct/beproduct-org-nestjs-auth/security/advisories/GHSA-6xwp-cp5h-q856"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/BeProduct/beproduct-org-nestjs-auth"
    },
    {
      "type": "WEB",
      "url": "https://www.aikido.dev/blog/checklist-github-actions"
    },
    {
      "type": "WEB",
      "url": "https://www.aikido.dev/blog/mini-shai-hulud-is-back-tanstack-compromised"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Malicious code in @beproduct/nestjs-auth (0.1.2 through 0.1.19) \u2014 Mini Shai-Hulud worm"
}



Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…