SlowMist detects high-risk npm worm "Mini Shai-Hulud", capable of stealing CI/CD keys and crypto wallet information

According to ChainCatcher, blockchain security firm SlowMist (@SlowMist_Team) has reported that its threat monitoring system MistEye has detected a highly sophisticated npm worm named “Mini Shai-Hulud” spreading through popular developer projects such as TanStack, UiPath, and DraftLab. Attackers hijack GitHub credentials to publish malicious packages disguised as legitimate updates, embedding a hidden script called router_init.js that runs silently in GitHub Actions and other CI/CD environments. This script is designed to steal CI/CD keys, cloud infrastructure keys, and cryptocurrency wallet information, and exfiltrates data using GitHub’s own infrastructure.

SlowMist has already shared the relevant threat intelligence (IOC) with its clients. Projects using affected packages are advised to immediately check their CI/CD pipelines for the presence of the router_init.js file, rotate all exposed GitHub, cloud service, and cryptocurrency credentials, and continuously monitor their development environments for suspicious background activity.