AICRIER_2
OPEN FEED
YOU ARE VIEWING ONE ITEM FROM THE AICRIER FEED

Mini Shai-Hulud worm hits 170+ npm packages

AICrier tracks AI developer news across Product Hunt, GitHub, Hacker News, YouTube, X, arXiv, and more. This page keeps the article you opened front and center while giving you a path into the live feed.

EXPLORE LATEST FEEDSEE FEATURED PICKS

// WHAT AICRIER DOES

7+

TRACKED FEEDS

24/7

SCRAPED FEED

Short summaries, external links, screenshots, relevance scoring, tags, and featured picks for AI builders.

Mini Shai-Hulud worm hits 170+ npm packages
OPEN LINK ↗
// 1h agoSECURITY INCIDENT

Mini Shai-Hulud worm hits 170+ npm packages

ANNOUNCEMENTPRODUCT

Mini Shai-Hulud worm compromised over 170 npm packages, including the TanStack ecosystem, by scraping GitHub Actions memory and hijacking OIDC tokens. The malware features a destructive "dead-man's switch" that wipes host machines if stolen credentials are revoked, representing a sophisticated evolution in automated supply chain attacks.

// ANALYSIS

Mini Shai-Hulud is a landmark security incident that weaponizes modern CI/CD primitives like OIDC and SLSA provenance to distribute authenticated malware.

  • Malware scrapes `/proc/{pid}/mem` to extract masked secrets from GitHub Actions runners, bypassing standard environment variable protections.
  • By hijacking OIDC tokens during build-time, the worm publishes malicious versions with valid SLSA Build Level 3 attestations.
  • A "dead-man's switch" installs local persistence to monitor token validity; any attempt to revoke compromised credentials triggers an immediate wipe of the root directory.
  • The attack effectively subverts "trusted publishing" workflows, proving that provenance attestations only secure the build's origin, not its content's integrity.
// TAGS
securitynpmsupply-chainci-cdgithub-actionsoidcmini-shai-huludtanstack

DISCOVERED

1h ago

2026-05-14

PUBLISHED

1h ago

2026-05-14

RELEVANCE

10/ 10

AUTHOR

Better Stack