TechFlow reports that on May 12, SlowMist’s (@SlowMist_Team) threat monitoring system MistEye detected a highly sophisticated npm worm named “Mini Shai-Hulud,” spreading via well-known developer projects including TanStack, UiPath, and DraftLab. Attackers hijacked GitHub credentials to publish malicious packages disguised as legitimate updates, embedding a hidden script—router_init.js—that executes silently within CI/CD environments such as GitHub Actions. This script specifically steals CI/CD keys, cloud infrastructure credentials, and cryptocurrency wallet information, leveraging GitHub’s own infrastructure to exfiltrate stolen data.
SlowMist has shared related threat intelligence (IOCs) with its customers. It recommends that projects using the affected packages immediately inspect their CI/CD pipelines for the presence of router_init.js, rotate all exposed GitHub, cloud service, and cryptocurrency credentials, and continuously monitor development environments for anomalous background activity.
