Malicious code in @beproduct/nestjs-auth (0.1.2 through 0.1.19) — Mini Shai-Hulud worm

Verhoogd (55/100): deze week beoordelen. Zwaarst wegend: technische ernst en gemeentelijke relevantie.

De priority_score is de Action Urgency Score: een gewogen combinatie van de technische ernst, de exploitatie en de gemeentelijke relevantie.

## Summary Between 2026-05-11 20:19 UTC and 22:56 UTC, an attacker used a compromised npm publish token to publish 18 malicious versions of `@beproduct/nestjs-auth` (0.1.2 through 0.1.19). The packages contained payloads from the **Mini Shai-Hulud** npm supply-chain worm campaign described by [Aikido Security](https://www.aikido.dev/blog/mini-shai-hulud-is-back-tanstack-compromised). npm Security removed the malicious versions from the registry shortly after publication, but anyone who ran `npm install @beproduct/nestjs-auth` resolving to any version in the affected range during that window executed the malicious postinstall script and is potentially compromised. Version `0.1.20` is a clean republish from the original `0.1.1` source tree. ## Impact The postinstall payload attempted to harvest: - npm tokens (from `~/.npmrc`) - GitHub personal access tokens, OAuth tokens (`gho_*`), and Actions OIDC tokens - AWS credentials (from environment variables and `~/.aws/credentials`) - HashiCorp Vault tokens - Other secrets present in environment variables Exfiltration target: `https://filev2.getsession.org`. The worm also wrote persistence artefacts (`tanstack_runner.js`, `router_init.js`, `setup.mjs`, plus IDE-hook configurations in `.claude/` and `.vscode/`) into the developer's working tree where the malicious install ran. ## Indicators of compromise | Type | Value | |---|---| | File name (payload) | `tanstack_runner.js`, `router_init.js`, `router_runtime.js` | | SHA-256 (tanstack_runner.js) | `2ec78d556d696e208927cc503d48e4b5eb56b31abc2870c2ed2e98d6be27fc96` | | SHA-256 (router_init.js) | `ab4fcadaec49c03278063dd269ea5eef82d24f2124a8e15d7b90f2fa8601266c` | | Exfil endpoint | `filev2.getsession.org` | | Cloud metadata probe | `169.254.169.254/latest/meta-data/iam/security-credentials/` | | npm token endpoint | `registry.npmjs.org/-/npm/v1/tokens` | | Vault probe | `vault.svc.cluster.local:8200` | | IDE hook pattern | `.claude/settings.json` `SessionStart` hook + `.vscode/tasks.json` `runOn: "folderOpen"` running `node .claude/setup.mjs` or `node .vscode/setup.mjs` | ## Mitigation If you installed any version in the range `>=0.1.2 <=0.1.19`: 1. **Remove the package and clean the npm cache:** ```bash npm uninstall @beproduct/nestjs-auth npm cache clean --force ``` 2. **Install the clean version:** ```bash npm install @beproduct/nestjs-auth@0.1.20 ``` 3. **Rotate every credential present in the install environment**, including: - All npm publish tokens (`https://www.npmjs.com/settings/ /tokens`) - All GitHub PATs and OAuth tokens (`https://github.com/settings/applications` + `https://github.com/settings/tokens`) - AWS access keys - HashiCorp Vault tokens - Any other secret that was in env vars or config files at install time 4. **Scan affected hosts** for the indicators of compromise above. If any are found, treat the host as compromised and reimage. 5. **Check committed repository history** for unexpected additions in `.claude/` or `.vscode/` directories — the worm is known to commit `setup.mjs` + hook configs to PR branches via automated agent runtimes. ## Timeline (UTC) | Time | Event | |---|---| | 2026-05-11 20:19:43 | First malicious version (`0.1.2`) published | | 2026-05-11 22:56:39 | Final malicious version (`0.1.19`) published — 18 versions in 2h37m | | 2026-05-12 ~14:12 | npm Security removes the malicious versions from the registry | | 2026-05-13 | BeProduct discovers the incident via Aikido's public disclosure | | 2026-05-14 | Compromised npm publish token revoked; BeProduct GitHub OAuth credentials rotated | | 2026-05-14 | Clean release `0.1.20` published; this advisory filed | ## Root cause The compromised npm publish token was harvested by a Mini-Shai-Hulud-infected transitive dependency in an automated GitHub coding-agent runtime that had read access to the `NPM_TOKEN` GitHub Actions secret for an unrelated repository under the same npm publisher account. The publish itself was performed by the attacker against the publ