A sophisticated npm worm named 'Mini Shai-Hulud' is spreading through well-known developer projects such as TanStack, UiPath, and DraftLab, according to ChainCatcher. The threat monitoring system MistEye, operated by blockchain security firm SlowMist, detected the worm. Attackers are hijacking GitHub credentials to release malicious software packages disguised as legitimate updates. These packages contain a hidden script, router_init.js, which runs silently in CI/CD environments like GitHub Actions. The worm is designed to steal CI/CD keys, cloud infrastructure keys, and cryptocurrency wallet information, using GitHub's infrastructure for data exfiltration.
SlowMist has shared the threat intelligence with its clients, advising projects using the affected packages to check their CI/CD pipelines for the presence of the router_init.js file. They recommend rotating all exposed GitHub, cloud service, and cryptocurrency credentials and continuously monitoring for unusual background activities in the development environment.