Close Menu
  • Instructions
  • News
    • DeFi
    • Smart Contract
    • Markets
    • Web3
    • Adoption
    • Memecoins
    • Analysis
    • Mining
    • Scams
    • Security
  • Education
    • Learn
    • Wallets & Exchange
  • Documentaries
  • Videos
    • Alessio Rastani
    • Altcoin Buzz
    • Coin Bureau
    • Dapp University
    • DataDash
    • Digital asset News
    • EllioTrades Crypto
    • MMCrypto
    • Lark Davis
    • Ivan on Tech
    • Benjamin Cowen
  • Market
    • Crypto Market Cap
    • Heat Map
    • Converter
    • Metal Prices
    • Stock prices
  • Bonus Books
  • Tools
What's Hot

Bitdeer’s New 1 PH/s Mining Rig Cuts Hardware Needs by 99.9% Since 2015

July 7, 2026

Trader loses $2M in ‘same-block backrun extraction’ exploit

July 7, 2026

Crypto exchange Kraken is trying to become a bank in Europe

July 7, 2026
Facebook X (Twitter) Instagram
Recession Profit AlertsRecession Profit Alerts
  • Instructions
  • News
    • DeFi
    • Smart Contract
    • Markets
    • Web3
    • Adoption
    • Memecoins
    • Analysis
    • Mining
    • Scams
    • Security
  • Education
    • Learn
    • Wallets & Exchange
  • Documentaries
  • Videos
    • Alessio Rastani
    • Altcoin Buzz
    • Coin Bureau
    • Dapp University
    • DataDash
    • Digital asset News
    • EllioTrades Crypto
    • MMCrypto
    • Lark Davis
    • Ivan on Tech
    • Benjamin Cowen
  • Market
    • Crypto Market Cap
    • Heat Map
    • Converter
    • Metal Prices
    • Stock prices
  • Bonus Books
  • Tools
Recession Profit AlertsRecession Profit Alerts
Home»Markets»GitHub Worm Hits npm Packages With 16M Downloads
Markets

GitHub Worm Hits npm Packages With 16M Downloads

May 20, 2026No Comments3 Mins Read

Key Takeaways

  • Mini Shai-Hulud exploited GitHub Actions on May 19, compromising 300+ npm packages across 16M weekly downloads.
  • The malware installs a dead-man’s switch that wipes the developer’s machine if the stolen npm token is revoked.
  • GitHub responded May 20 with staged publishing, bulk OIDC onboarding, and a plan to deprecate legacy npm tokens.

Mini Shai-Hulud Exploits GitHub Actions to Hit 16 Million Weekly Downloads

The Mini Shai-Hulud campaign, attributed to the threat group Team PCP, does not work the way most supply chain attacks do because, rather than stealing a developer’s credentials and publishing directly, the attacker forks a target repository on GitHub, opens a pull request that triggers a `pull_request_target` workflow.

This poisons the GitHub Actions cache with a malicious pnpm store, and from that point, the infected packages carry valid signed certificates and pass SLSA provenance checks, making them appear completely clean to standard security tooling.

Image source: X

On May 19, the latest wave struck the AntV data visualization ecosystem as attackers gained access to a compromised maintainer account in the @atool namespace and published more than 300 malicious package versions across 323 packages in a 22-minute automated burst.

Among the affected packages is echarts-for-react, a React wrapper for Apache Echarts with roughly 1.1 million weekly downloads. The collective weekly download count across all affected packages in this wave is estimated at around 16 million.

The most alarming technical detail is what happens if a developer tries to intervene. The malware installs a dead-man’s switch, i.e., a shell script that polls GitHub’s API every 60 seconds to check whether the npm token it created has been revoked. That token carries the description “IfYouRevokeThisTokenItWillWipeTheComputerOfTheOwner,” which, if revoked by a developer, immediately wipes the infected machine’s home directory.

See also  Why Bitcoin’s Latest Sell-Off Echoes The 2022 Crypto Winter

The token also steals credentials from GitHub, AWS, Azure, GCP, Kubernetes, Hashi Corp Vault, and over 90 developer tool configurations before spreading laterally across connected cloud infrastructure.

One Attack, Multiple Casualties

The campaign simultaneously hit the Python Package Index (PyPI) as three malicious versions of Microsoft’s official durabletask Python SDK were published on May 19, silently downloading and executing a 28 KB credential-stealing payload (capable of moving across AWS, Azure, and GCP environments after initial execution).

GitHub responded on May 20 with an announcement outlining three core changes to npm publishing, namely bulk OIDC onboarding to help organizations migrate hundreds of packages to trusted publishing at scale, expanded OIDC provider support beyond GitHub Actions and Gitlab, and a new staged publishing model that gives maintainers a review window before packages go live, requiring multi-factor authentication (MFA) approval.

GitHub Worm Hits npm Packages With 16M Downloads
Image source: X

The company also plans to deprecate legacy classic tokens, migrate users to FIDO-based 2FA, and disallow token-based publishing by default. In the earlier wave of the campaign in September 2025, GitHub removed over 500 compromised packages from the npm registry

Blockchain security firm Slowmist had raised an early warning on May 14 after flagging three malicious versions of node-ipc, a package with 822,000 weekly downloads, as part of the same campaign.

Developers using any of the flagged packages have been advised to audit dependency trees immediately, rotate all credentials without revoking the malicious token first, and check indicators of compromise published by Snyk, Wiz, Socket.dev, and Step Security.

Source link

16M Downloads GitHub hits npm Packages Worm

Related Posts

Crypto exchange Kraken is trying to become a bank in Europe

July 7, 2026

Analysts see more upside for SpaceX as post-IPO research begins

July 7, 2026

Hyperliquid Stays Near All-Time High, Even as Bitcoin ETFs Lose $6.5 Billion

July 7, 2026

Coinbase secures UK authorization to offer traditional investments alongside crypto

July 7, 2026
Top Posts

U.S. October Jobs Up 150K, Missing Forecasts for 180K; Bitcoin Remains Lower at $34.3K

November 5, 2023

Banking rails are moving past the 'stablecoin winner' narrative: Sygnum

June 12, 2026

Startup Starcloud Plans First Bitcoin Mining Satellite in Low-Earth Orbit

March 8, 2026

Type above and press Enter to search. Press Esc to cancel.