GitHub Worm Hits npm Packages With 16M Downloads

Mini Shai-Hulud Exploits GitHub Actions to Hit 16 Million Weekly Downloads

The Mini Shai-Hulud campaign, attributed to the menace radical Team PCP, does not enactment the mode astir proviso concatenation attacks bash because, alternatively than stealing a developer’s credentials and publishing directly, the attacker forks a people repository connected GitHub, opens a propulsion petition that triggers a `pull_request_target` workflow.

This poisons the GitHub Actions cache with a malicious pnpm store, and from that point, the infected packages transportation valid signed certificates and walk SLSA provenance checks, making them look wholly cleanable to modular information tooling.

Image source: X

On May 19, the latest question struck the AntV information visualization ecosystem arsenic attackers gained access to a compromised maintainer relationship successful the @atool namespace and published much than 300 malicious bundle versions crossed 323 packages successful a 22-minute automated burst.

Among the affected packages is echarts-for-react, a React wrapper for Apache Echarts with roughly 1.1 cardinal play downloads. The corporate play download number crossed each affected packages successful this question is estimated astatine astir 16 million.

The astir alarming method item is what happens if a developer tries to intervene. The malware installs a dead-man’s switch, i.e., a ammunition publication that polls GitHub’s API each 60 seconds to cheque whether the npm token it created has been revoked. That token carries the statement “IfYouRevokeThisTokenItWillWipeTheComputerOfTheOwner,” which, if revoked by a developer, instantly wipes the infected machine’s location directory.

The token besides steals credentials from GitHub, AWS, Azure, GCP, Kubernetes, Hashi Corp Vault, and implicit 90 developer instrumentality configurations before spreading laterally crossed connected unreality infrastructure.

One Attack, Multiple Casualties

The run simultaneously deed the Python Package Index (PyPI) arsenic 3 malicious versions of Microsoft’s authoritative durabletask Python SDK were published connected May 19, silently downloading and executing a 28 KB credential-stealing payload (capable of moving crossed AWS, Azure, and GCP environments aft archetypal execution).

GitHub responded connected May 20 with an announcement outlining 3 halfway changes to npm publishing, namely bulk OIDC onboarding to assistance organizations migrate hundreds of packages to trusted publishing astatine scale, expanded OIDC supplier enactment beyond GitHub Actions and Gitlab, and a caller staged publishing exemplary that gives maintainers a reappraisal model earlier packages spell live, requiring multi-factor authentication (MFA) approval.

Image source: X

The institution besides plans to deprecate bequest classical tokens, migrate users to FIDO-based 2FA, and disallow token-based publishing by default. In the earlier question of the run successful September 2025, GitHub removed implicit 500 compromised packages from the npm registry

Blockchain information steadfast Slowmist had raised an aboriginal informing connected May 14 aft flagging 3 malicious versions of node-ipc, a bundle with 822,000 play downloads, arsenic portion of the aforesaid campaign.

Developers utilizing immoderate of the flagged packages person been advised to audit dependency trees immediately, rotate each credentials without revoking the malicious token first, and cheque indicators of compromise published by Snyk, Wiz, Socket.dev, and Step Security.