High-Risk npm Worm 'Mini Shai-Hulud' Detected Stealing CI/CD Keys

Severity: High (Score: 72.0)

Sources: Bitget, Panewslab, Techflowpost, Kucoin

Summary

On May 12, 2026, SlowMist reported the detection of a sophisticated npm worm named 'Mini Shai-Hulud' infiltrating popular developer projects like TanStack, UiPath, and DraftLab. The worm hijacks GitHub credentials to publish malicious packages that appear as legitimate updates. It embeds a stealthy script, router_init.js, which operates silently in CI/CD environments, specifically targeting CI/CD keys, cloud infrastructure credentials, and cryptocurrency wallet information. The stolen data is exfiltrated using GitHub's infrastructure. SlowMist has shared threat intelligence with its clients and recommends immediate inspection of CI/CD pipelines for the router_init.js file, credential rotation, and continuous monitoring for suspicious activities. Affected projects are urged to take these actions promptly to mitigate risks. Key Points: • The npm worm 'Mini Shai-Hulud' targets popular projects like TanStack and UiPath. • It uses hijacked GitHub credentials to publish malicious packages with a hidden script. • SlowMist advises immediate inspection of CI/CD environments and credential rotation.

Key Entities

• Malware (attack_type)
• Supply Chain Attack (attack_type)
• Worm (attack_type)
• DraftLab (company)
• TanStack (company)
• UiPath (company)
• CWE-200 - Exposure of Sensitive Information (cwe)
• Mini Shai-Hulud (malware)
• T1059.007 - JavaScript (mitre_attack)
• T1078 - Valid Accounts (mitre_attack)
• T1195 - Supply Chain Compromise (mitre_attack)
• T1567.002 - Exfiltration to Cloud Storage (mitre_attack)
• T1567 - Exfiltration Over Web Service (mitre_attack)
• GitHub (platform)
• GitHub Actions (tool)
• Npm (tool)
• Router_init.js (tool)