Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
10.0
CVE-2026-46412: Malicious Code in @beproduct/nestjs-auth (0.1.2-0.1.19) Can Steal Secrets
GHSA-6xwp-cp5h-q856
CVE-2026-46412
Summary
Between May 11 and May 22, 2026, malicious versions of the @beproduct/nestjs-auth package were published on npm. These versions contained code that could steal sensitive information like login tokens, AWS credentials, and other secrets from your computer. If you installed any version of this package during that time, you should review your computer's security and take steps to prevent further unauthorized access.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Ecosystem | Vendor | Product | Affected versions |
|---|---|---|---|
| npm | beproduct | nestjs-auth | >= 0.1.2, <= 0.1.19 |
Original title
Malicious code in @beproduct/nestjs-auth (0.1.2 through 0.1.19) — Mini Shai-Hulud worm
Original description
## Summary
Between 2026-05-11 20:19 UTC and 22:56 UTC, an attacker used a compromised npm publish token to publish 18 malicious versions of `@beproduct/nestjs-auth` (0.1.2 through 0.1.19). The packages contained payloads from the **Mini Shai-Hulud** npm supply-chain worm campaign described by [Aikido Security](https://www.aikido.dev/blog/mini-shai-hulud-is-back-tanstack-compromised).
npm Security removed the malicious versions from the registry shortly after publication, but anyone who ran `npm install @beproduct/nestjs-auth` resolving to any version in the affected range during that window executed the malicious postinstall script and is potentially compromised.
Version `0.1.20` is a clean republish from the original `0.1.1` source tree.
## Impact
The postinstall payload attempted to harvest:
- npm tokens (from `~/.npmrc`)
- GitHub personal access tokens, OAuth tokens (`gho_*`), and Actions OIDC tokens
- AWS credentials (from environment variables and `~/.aws/credentials`)
- HashiCorp Vault tokens
- Other secrets present in environment variables
Exfiltration target: `https://filev2.getsession.org`. The worm also wrote persistence artefacts (`tanstack_runner.js`, `router_init.js`, `setup.mjs`, plus IDE-hook configurations in `.claude/` and `.vscode/`) into the developer's working tree where the malicious install ran.
## Indicators of compromise
| Type | Value |
|---|---|
| File name (payload) | `tanstack_runner.js`, `router_init.js`, `router_runtime.js` |
| SHA-256 (tanstack_runner.js) | `2ec78d556d696e208927cc503d48e4b5eb56b31abc2870c2ed2e98d6be27fc96` |
| SHA-256 (router_init.js) | `ab4fcadaec49c03278063dd269ea5eef82d24f2124a8e15d7b90f2fa8601266c` |
| Exfil endpoint | `filev2.getsession.org` |
| Cloud metadata probe | `169.254.169.254/latest/meta-data/iam/security-credentials/` |
| npm token endpoint | `registry.npmjs.org/-/npm/v1/tokens` |
| Vault probe | `vault.svc.cluster.local:8200` |
| IDE hook pattern | `.claude/settings.json` `SessionStart` hook + `.vscode/tasks.json` `runOn: "folderOpen"` running `node .claude/setup.mjs` or `node .vscode/setup.mjs` |
## Mitigation
If you installed any version in the range `>=0.1.2 <=0.1.19`:
1. **Remove the package and clean the npm cache:**
```bash
npm uninstall @beproduct/nestjs-auth
npm cache clean --force
```
2. **Install the clean version:**
```bash
npm install @beproduct/[email protected]
```
3. **Rotate every credential present in the install environment**, including:
- All npm publish tokens (`https://www.npmjs.com/settings/<you>/tokens`)
- All GitHub PATs and OAuth tokens (`https://github.com/settings/applications` + `https://github.com/settings/tokens`)
- AWS access keys
- HashiCorp Vault tokens
- Any other secret that was in env vars or config files at install time
4. **Scan affected hosts** for the indicators of compromise above. If any are found, treat the host as compromised and reimage.
5. **Check committed repository history** for unexpected additions in `.claude/` or `.vscode/` directories — the worm is known to commit `setup.mjs` + hook configs to PR branches via automated agent runtimes.
## Timeline (UTC)
| Time | Event |
|---|---|
| 2026-05-11 20:19:43 | First malicious version (`0.1.2`) published |
| 2026-05-11 22:56:39 | Final malicious version (`0.1.19`) published — 18 versions in 2h37m |
| 2026-05-12 ~14:12 | npm Security removes the malicious versions from the registry |
| 2026-05-13 | BeProduct discovers the incident via Aikido's public disclosure |
| 2026-05-14 | Compromised npm publish token revoked; BeProduct GitHub OAuth credentials rotated |
| 2026-05-14 | Clean release `0.1.20` published; this advisory filed |
## Root cause
The compromised npm publish token was harvested by a Mini-Shai-Hulud-infected transitive dependency in an automated GitHub coding-agent runtime that had read access to the `NPM_TOKEN` GitHub Actions secret for an unrelated repository under the same npm publisher account. The publish itself was performed by the attacker against the public npm registry; the source repository for this package was not modified by the attacker.
## References
- https://www.aikido.dev/blog/mini-shai-hulud-is-back-tanstack-compromised
- https://www.aikido.dev/blog/checklist-github-actions
```
Between 2026-05-11 20:19 UTC and 22:56 UTC, an attacker used a compromised npm publish token to publish 18 malicious versions of `@beproduct/nestjs-auth` (0.1.2 through 0.1.19). The packages contained payloads from the **Mini Shai-Hulud** npm supply-chain worm campaign described by [Aikido Security](https://www.aikido.dev/blog/mini-shai-hulud-is-back-tanstack-compromised).
npm Security removed the malicious versions from the registry shortly after publication, but anyone who ran `npm install @beproduct/nestjs-auth` resolving to any version in the affected range during that window executed the malicious postinstall script and is potentially compromised.
Version `0.1.20` is a clean republish from the original `0.1.1` source tree.
## Impact
The postinstall payload attempted to harvest:
- npm tokens (from `~/.npmrc`)
- GitHub personal access tokens, OAuth tokens (`gho_*`), and Actions OIDC tokens
- AWS credentials (from environment variables and `~/.aws/credentials`)
- HashiCorp Vault tokens
- Other secrets present in environment variables
Exfiltration target: `https://filev2.getsession.org`. The worm also wrote persistence artefacts (`tanstack_runner.js`, `router_init.js`, `setup.mjs`, plus IDE-hook configurations in `.claude/` and `.vscode/`) into the developer's working tree where the malicious install ran.
## Indicators of compromise
| Type | Value |
|---|---|
| File name (payload) | `tanstack_runner.js`, `router_init.js`, `router_runtime.js` |
| SHA-256 (tanstack_runner.js) | `2ec78d556d696e208927cc503d48e4b5eb56b31abc2870c2ed2e98d6be27fc96` |
| SHA-256 (router_init.js) | `ab4fcadaec49c03278063dd269ea5eef82d24f2124a8e15d7b90f2fa8601266c` |
| Exfil endpoint | `filev2.getsession.org` |
| Cloud metadata probe | `169.254.169.254/latest/meta-data/iam/security-credentials/` |
| npm token endpoint | `registry.npmjs.org/-/npm/v1/tokens` |
| Vault probe | `vault.svc.cluster.local:8200` |
| IDE hook pattern | `.claude/settings.json` `SessionStart` hook + `.vscode/tasks.json` `runOn: "folderOpen"` running `node .claude/setup.mjs` or `node .vscode/setup.mjs` |
## Mitigation
If you installed any version in the range `>=0.1.2 <=0.1.19`:
1. **Remove the package and clean the npm cache:**
```bash
npm uninstall @beproduct/nestjs-auth
npm cache clean --force
```
2. **Install the clean version:**
```bash
npm install @beproduct/[email protected]
```
3. **Rotate every credential present in the install environment**, including:
- All npm publish tokens (`https://www.npmjs.com/settings/<you>/tokens`)
- All GitHub PATs and OAuth tokens (`https://github.com/settings/applications` + `https://github.com/settings/tokens`)
- AWS access keys
- HashiCorp Vault tokens
- Any other secret that was in env vars or config files at install time
4. **Scan affected hosts** for the indicators of compromise above. If any are found, treat the host as compromised and reimage.
5. **Check committed repository history** for unexpected additions in `.claude/` or `.vscode/` directories — the worm is known to commit `setup.mjs` + hook configs to PR branches via automated agent runtimes.
## Timeline (UTC)
| Time | Event |
|---|---|
| 2026-05-11 20:19:43 | First malicious version (`0.1.2`) published |
| 2026-05-11 22:56:39 | Final malicious version (`0.1.19`) published — 18 versions in 2h37m |
| 2026-05-12 ~14:12 | npm Security removes the malicious versions from the registry |
| 2026-05-13 | BeProduct discovers the incident via Aikido's public disclosure |
| 2026-05-14 | Compromised npm publish token revoked; BeProduct GitHub OAuth credentials rotated |
| 2026-05-14 | Clean release `0.1.20` published; this advisory filed |
## Root cause
The compromised npm publish token was harvested by a Mini-Shai-Hulud-infected transitive dependency in an automated GitHub coding-agent runtime that had read access to the `NPM_TOKEN` GitHub Actions secret for an unrelated repository under the same npm publisher account. The publish itself was performed by the attacker against the public npm registry; the source repository for this package was not modified by the attacker.
## References
- https://www.aikido.dev/blog/mini-shai-hulud-is-back-tanstack-compromised
- https://www.aikido.dev/blog/checklist-github-actions
```
ghsa CVSS3.1
10.0
Vulnerability type
CWE-506
Embedded Malicious Code
Published: 19 May 2026 · Updated: 19 May 2026 · First seen: 19 May 2026