VYPR
← All advisories
Critical severity10.0GHSA Advisory· Published May 19, 2026· Updated May 19, 2026

Malicious code in @beproduct/nestjs-auth (0.1.2 through 0.1.19) — Mini Shai-Hulud worm

CVE-2026-46412

Description

Summary

Between 2026-05-11 20:19 UTC and 22:56 UTC, an attacker used a compromised npm publish token to publish 18 malicious versions of @beproduct/nestjs-auth (0.1.2 through 0.1.19). The packages contained payloads from the Mini Shai-Hulud npm supply-chain worm campaign described by Aikido Security.

npm Security removed the malicious versions from the registry shortly after publication, but anyone who ran npm install @beproduct/nestjs-auth resolving to any version in the affected range during that window executed the malicious postinstall script and is potentially compromised.

Version 0.1.20 is a clean republish from the original 0.1.1 source tree.

Impact

The postinstall payload attempted to harvest:

  • npm tokens (from ~/.npmrc)
  • GitHub personal access tokens, OAuth tokens (gho_*), and Actions OIDC tokens
  • AWS credentials (from environment variables and ~/.aws/credentials)
  • HashiCorp Vault tokens
  • Other secrets present in environment variables

Exfiltration target: https://filev2.getsession.org. The worm also wrote persistence artefacts (tanstack_runner.js, router_init.js, setup.mjs, plus IDE-hook configurations in .claude/ and .vscode/) into the developer's working tree where the malicious install ran.

Indicators of compromise

| Type | Value | |---|---| | File name (payload) | tanstack_runner.js, router_init.js, router_runtime.js | | SHA-256 (tanstack_runner.js) | 2ec78d556d696e208927cc503d48e4b5eb56b31abc2870c2ed2e98d6be27fc96 | | SHA-256 (router_init.js) | ab4fcadaec49c03278063dd269ea5eef82d24f2124a8e15d7b90f2fa8601266c | | Exfil endpoint | filev2.getsession.org | | Cloud metadata probe | 169.254.169.254/latest/meta-data/iam/security-credentials/ | | npm token endpoint | registry.npmjs.org/-/npm/v1/tokens | | Vault probe | vault.svc.cluster.local:8200 | | IDE hook pattern | .claude/settings.json SessionStart hook + .vscode/tasks.json runOn: "folderOpen" running node .claude/setup.mjs or node .vscode/setup.mjs |

Mitigation

If you installed any version in the range >=0.1.2 <=0.1.19:

1. Remove the package and clean the npm cache: ``bash npm uninstall @beproduct/nestjs-auth npm cache clean --force ``

2. Install the clean version: ``bash npm install @beproduct/nestjs-auth@0.1.20 ``

3. Rotate every credential present in the install environment, including: - All npm publish tokens (https://www.npmjs.com/settings//tokens) - All GitHub PATs and OAuth tokens (https://github.com/settings/applications + https://github.com/settings/tokens) - AWS access keys - HashiCorp Vault tokens - Any other secret that was in env vars or config files at install time 4. Scan affected hosts for the indicators of compromise above. If any are found, treat the host as compromised and reimage. 5. Check committed repository history for unexpected additions in .claude/ or .vscode/ directories — the worm is known to commit setup.mjs + hook configs to PR branches via automated agent runtimes.

Timeline (UTC)

| Time | Event | |---|---| | 2026-05-11 20:19:43 | First malicious version (0.1.2) published | | 2026-05-11 22:56:39 | Final malicious version (0.1.19) published — 18 versions in 2h37m | | 2026-05-12 ~14:12 | npm Security removes the malicious versions from the registry | | 2026-05-13 | BeProduct discovers the incident via Aikido's public disclosure | | 2026-05-14 | Compromised npm publish token revoked; BeProduct GitHub OAuth credentials rotated | | 2026-05-14 | Clean release 0.1.20 published; this advisory filed |

Root cause

The compromised npm publish token was harvested by a Mini-Shai-Hulud-infected transitive dependency in an automated GitHub coding-agent runtime that had read access to the NPM_TOKEN GitHub Actions secret for an unrelated repository under the same npm publisher account. The publish itself was performed by the attacker against the public npm registry; the source repository for this package was not modified by the attacker.

References

- https://www.aikido.dev/blog/mini-shai-hulud-is-back-tanstack-compromised - https://www.aikido.dev/blog/checklist-github-actions ```

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A compromised npm token published 18 malicious versions of @beproduct/nestjs-auth (0.1.2–0.1.19) with the Mini Shai-Hulud worm, stealing credentials via postinstall scripts.

Vulnerability

Between 2026-05-11 20:19 UTC and 22:56 UTC, an attacker used a compromised npm publish token to publish 18 malicious versions of @beproduct/nestjs-auth (0.1.2 through 0.1.19) [2][3][4]. These versions contain the Mini Shai-Hulud supply-chain worm payload, which executes a postinstall script upon npm install [2]. Version 0.1.20 is a clean republish from the original 0.1.1 source tree [3][4]. The vulnerable packages were removed from the npm registry by npm Security shortly after publication [2][3][4].

Exploitation

An attacker requires a compromised npm publish token (or equivalent access) to push malicious versions to the registry [2][3]. No user interaction is needed beyond running npm install @beproduct/nestjs-auth resolving to any version in the affected range during the two-and-a-half-hour window (20:19–22:56 UTC on 2026-05-11) [1][4]. The install triggers the malicous postinstall script automatically [2][3][4].

Impact

On successful execution, the postinstall payload exfiltrates npm tokens from ~/.npmrc, GitHub personal access tokens and OAuth tokens (gho_*), GitHub Actions OIDC tokens, AWS credentials from environment variables and ~/.aws/credentials, HashiCorp Vault tokens, and other secrets in environment variables [3][4]. The exfiltration target is https://filev2.getsession.org [3][4]. The worm also writes persistence artifacts (tanstack_runner.js, router_init.js, setup.mjs) and modifies IDE hook configurations in .claude/ and .vscode/ directories [3][4].

Mitigation

Users should immediately run npm uninstall @beproduct/nestjs-auth && npm cache clean --force and install the clean version 0.1.20 [3][4]. All credentials present in the install environment at the time of the malicious install must be rotated, including npm tokens, GitHub tokens, AWS keys, and Vault tokens [3][4]. Systems should be scanned for indicators of compromise, including the file names tanstack_runner.js, router_init.js, router_runtime.js, and network egress to filev2.getsession.org [3][4]. The advisory GHSA-6xwp-cp5h-q856 provides the full IOC list [4]. No workaround exists for already-compromised installations.

References
  1. The complete GitHub Actions security checklist
  2. Mini Shai-Hulud Is Back: npm Worm Hits over 160 Packages, including Mistral and Tanstack
  3. GitHub - BeProduct/beproduct-org-nestjs-auth
  4. Malicious code in @beproduct/nestjs-auth (0.1.2 through 0.1.19) — Mini Shai-Hulud worm

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

4

News mentions

0

No linked articles in our index yet.