Malicious @beproduct/nestjs-auth Package Contains Mini Shai-Hulud Worm (CVE-2026-46412)

Between 2026-05-11 20:19 UTC and 22:56 UTC, an attacker used a compromised npm publish token to publish 18 malicious versions of @beproduct/nestjs-auth (0.1.2 through 0.1.19). The packages contained payloads from the Mini Shai-Hulud npm supply-chain worm campaign. This campaign is also described by Aikido Security, indicating a resurgence of known tactics. npm Security removed the malicious versions from the registry shortly after publication, but any developer who ran npm install @beproduct/nestjs-auth resolving to a version in the affected range during that window executed the malicious postinstall script, potentially compromising their environment. Version 0.1.20 is a clean republish. This incident underscores the risks of supply chain attacks targeting developer tooling and the importance of securing npm publish tokens. CVE-2026-46412 is assigned to this vulnerability.

Attack Chain

1. Attacker compromises an npm publish token.
2. Attacker publishes malicious versions (0.1.2 - 0.1.19) of the @beproduct/nestjs-auth package to the npm registry.
3. A developer unknowingly installs a malicious version of the package via npm install @beproduct/nestjs-auth.
4. The malicious package’s postinstall script executes.
5. The postinstall script attempts to harvest npm tokens (~/.npmrc), GitHub PATs/OAuth tokens, AWS credentials (env vars, ~/.aws/credentials), and HashiCorp Vault tokens, and other secrets from environment variables.
6. The harvested secrets are exfiltrated to https://filev2.getsession.org.
7. The script writes persistence artifacts (tanstack_runner.js, router_init.js, setup.mjs) and IDE hook configurations (.claude/, .vscode/) into the developer’s working tree.
8. The worm attempts to commit setup.mjs and hook configurations to PR branches.

Impact

This supply chain attack compromised developer environments by injecting malicious code via a popular npm package. Successful exploitation allowed the attacker to steal sensitive credentials, including npm tokens, GitHub PATs/OAuth tokens, AWS credentials, and HashiCorp Vault tokens. The exfiltration of these secrets could lead to further compromise of the victim’s infrastructure, including source code repositories, cloud environments, and CI/CD pipelines. The persistence mechanisms ensure that the attacker maintains access even after the initial infection vector is removed. There is no reliable data about the precise number of victims, but any developer who installed the package within the 2 hour 37 minute window is potentially compromised.

Recommendation

• Deploy the “Detect Suspicious NPM Package Postinstall Script” Sigma rule to detect execution of malicious postinstall scripts based on process names, file paths and network connections.
• Deploy the “Detect Mini Shai-Hulud Exfiltration” Sigma rule to detect connections to the exfiltration domain filev2.getsession.org.
• Block the exfiltration domain filev2.getsession.org at the network perimeter using the IOC table.
• Monitor for connections to cloud metadata endpoints (169.254.169.254) and vault probes (vault.svc.cluster.local:8200) from developer workstations, as these are unusual and may indicate compromised environments using the IOC table.
• Scan systems for the presence of persistence artifacts such as tanstack_runner.js, router_init.js, and suspicious IDE configuration files in .claude/ and .vscode/ directories as listed in the IOC table.
• Immediately rotate all potentially exposed credentials if any version in the range >=0.1.2 <=0.1.19 of @beproduct/nestjs-auth was installed in your environment, as described in the mitigation steps.