Invest In Crypto News
  • Home
  • Latest News
    • Bitcoin News
    • Altcoin News
    • Ethereum News
    • Blockchain News
    • Doge News
    • NFT News
    • Video
    • Market Analysis
    • Business
    • Finance
    • Politics
    • Mining
    • Regulation
    • Technology
  • Top 10 Cryptos
  • Market Cap List
  • IC DAO
  • Donations
  • Contact
  • Buy Crypto
  • IC DAO
No Result
View All Result
Invest In Crypto News
  • Home
  • Latest News
    • Bitcoin News
    • Altcoin News
    • Ethereum News
    • Blockchain News
    • Doge News
    • NFT News
    • Video
    • Market Analysis
    • Business
    • Finance
    • Politics
    • Mining
    • Regulation
    • Technology
  • Top 10 Cryptos
  • Market Cap List
  • IC DAO
  • Donations
  • Contact
  • Buy Crypto
  • IC DAO
No Result
View All Result
Invest In Crypto News
No Result
View All Result

GitHub Worm Hits npm Packages With 16M Downloads

CryptoExpert by CryptoExpert
May 20, 2026
in Bitcoin News
0
GitHub Worm Hits npm Packages With 16M Downloads
  • Facebook
  • Twitter
  • Pinterest


Key Takeaways

Mini Shai-Hulud exploited GitHub Actions on May 19, compromising 300+ npm packages across 16M weekly downloads.The malware installs a dead-man’s switch that wipes the developer’s machine if the stolen npm token is revoked.GitHub responded May 20 with staged publishing, bulk OIDC onboarding, and a plan to deprecate legacy npm tokens.

Mini Shai-Hulud Exploits GitHub Actions to Hit 16 Million Weekly Downloads

The Mini Shai-Hulud campaign, attributed to the threat group Team PCP, does not work the way most supply chain attacks do because, rather than stealing a developer’s credentials and publishing directly, the attacker forks a target repository on GitHub, opens a pull request that triggers a `pull_request_target` workflow.

This poisons the GitHub Actions cache with a malicious pnpm store, and from that point, the infected packages carry valid signed certificates and pass SLSA provenance checks, making them appear completely clean to standard security tooling.

okex
Image source: X

On May 19, the latest wave struck the AntV data visualization ecosystem as attackers gained access to a compromised maintainer account in the @atool namespace and published more than 300 malicious package versions across 323 packages in a 22-minute automated burst.

Among the affected packages is echarts-for-react, a React wrapper for Apache Echarts with roughly 1.1 million weekly downloads. The collective weekly download count across all affected packages in this wave is estimated at around 16 million.

The most alarming technical detail is what happens if a developer tries to intervene. The malware installs a dead-man’s switch, i.e., a shell script that polls GitHub’s API every 60 seconds to check whether the npm token it created has been revoked. That token carries the description “IfYouRevokeThisTokenItWillWipeTheComputerOfTheOwner,” which, if revoked by a developer, immediately wipes the infected machine’s home directory.

The token also steals credentials from GitHub, AWS, Azure, GCP, Kubernetes, Hashi Corp Vault, and over 90 developer tool configurations before spreading laterally across connected cloud infrastructure.

One Attack, Multiple Casualties

The campaign simultaneously hit the Python Package Index (PyPI) as three malicious versions of Microsoft’s official durabletask Python SDK were published on May 19, silently downloading and executing a 28 KB credential-stealing payload (capable of moving across AWS, Azure, and GCP environments after initial execution).

GitHub responded on May 20 with an announcement outlining three core changes to npm publishing, namely bulk OIDC onboarding to help organizations migrate hundreds of packages to trusted publishing at scale, expanded OIDC provider support beyond GitHub Actions and Gitlab, and a new staged publishing model that gives maintainers a review window before packages go live, requiring multi-factor authentication (MFA) approval.

GitHub Worm Hits npm Packages With 16M Downloads
Image source: X

The company also plans to deprecate legacy classic tokens, migrate users to FIDO-based 2FA, and disallow token-based publishing by default. In the earlier wave of the campaign in September 2025, GitHub removed over 500 compromised packages from the npm registry

Blockchain security firm Slowmist had raised an early warning on May 14 after flagging three malicious versions of node-ipc, a package with 822,000 weekly downloads, as part of the same campaign.

Developers using any of the flagged packages have been advised to audit dependency trees immediately, rotate all credentials without revoking the malicious token first, and check indicators of compromise published by Snyk, Wiz, Socket.dev, and Step Security.



Source link

You might also like

This Trader Sold His CASHCAT for $711 Instead of Retiring: Here’s the Math

Bitcoin Reclaims 63k but Traders Fear Correction Before Deribit Expiry

British Airline Jet2 Shares Jump 9% After $536M Fuel Hedge Gain Offsets Middle East Travel Fears

  • Facebook
  • Twitter
  • Pinterest
Tags: Bitcoin
CryptoExpert

CryptoExpert

Recommended For You

This Trader Sold His CASHCAT for $711 Instead of Retiring: Here’s the Math

by CryptoExpert
July 10, 2026
0
This Trader Sold His CASHCAT for $711 Instead of Retiring: Here's the Math

Key TakeawaysLookonchain says a trader sold 20M CASHCAT for $711, missing $2.7 million after the token’s July surge.CASHCAT hit an all-time high of $0.147 on July 8 as...

Read more

Bitcoin Reclaims 63k but Traders Fear Correction Before Deribit Expiry

by CryptoExpert
July 10, 2026
0
Bitcoin Reclaims 63k but Traders Fear Correction Before Deribit Expiry

Bitcoin (BTC) reclaimed the $63,000 mark on Thursday, but traders fear a correction ahead of Friday’s $1.4 billion options expiry on Deribit. The concerns stem from the US...

Read more

British Airline Jet2 Shares Jump 9% After $536M Fuel Hedge Gain Offsets Middle East Travel Fears

by CryptoExpert
July 9, 2026
0
British Airline Jet2 Shares Jump 9% After $536M Fuel Hedge Gain Offsets Middle East Travel Fears

Key TakeawaysJet2 recorded a $536 million balance sheet windfall on July 8 after locking in low-cost fuel derivatives.The Middle East conflict triggered a 67% decline in annual cash...

Read more

Bitcoin ETF ‘Storm Has Passed’ as $2.7B Outflow Streak Ends: Swissblock

by CryptoExpert
July 9, 2026
0
Cointelegraph

Bitcoin (BTC) institutional demand is “not yet strong” despite positive inflows to the US spot Bitcoin exchange-traded funds (ETFs).Key points:Bitcoin ETF flows reverse a ten-day losing streak, but...

Read more

Flexa Expands Crypto Payments Across 37 European Markets

by CryptoExpert
July 9, 2026
0
Flexa Expands Crypto Payments Across 37 European Markets

Key TakeawaysFlexa expanded across 37 SEPA countries and territories, enabling digital asset acceptance with euro settlement.Merchants can accept digital asset payments without managing custody, volatility, chargebacks, or new...

Read more
Next Post
Cointelegraph

World Liberty-Linked AI Financial Flags Going Concern

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Browse by Category

  • Altcoin News
  • Bitcoin News
  • Blockchain News
  • Business
  • Doge News
  • Ethereum News
  • Finance
  • Market Analysis
  • Mining
  • NFT News
  • Politics
  • Regulation
  • Technology
  • Trending Cryptos
  • Video

Sitemap

  • Market Cap
  • Donations
  • Trading
  • Mining
  • Contact

Legal Information

  • Privacy Policy
  • Anti-Spam Policy
  • Copyright Notice
  • DMCA Compliance
  • Social Media Disclaimer
  • Terms Of Service

Categories

  • Altcoin News
  • Bitcoin News
  • Blockchain News
  • Business
  • Doge News
  • Ethereum News
  • Finance
  • Market Analysis
  • Mining
  • NFT News
  • Politics
  • Regulation
  • Technology
  • Trending Cryptos
  • Video

© Copyright 2024 InvestInCryptoNews.com

No Result
View All Result
  • Home
  • Latest News
    • Bitcoin News
    • Altcoin News
    • Ethereum News
    • Blockchain News
    • Doge News
    • NFT News
    • Video
    • Market Analysis
    • Business
    • Finance
    • Politics
    • Mining
    • Regulation
    • Technology
  • Top 10 Cryptos
  • Market Cap List
  • IC DAO
  • Donations
  • Contact
  • Buy Crypto
  • IC DAO

© Copyright 2024 InvestInCryptoNews.com

This website is using cookies to improve the user-friendliness. You agree by using the website further.

Privacy policy
bitcoin
Bitcoin (BTC) $ 64,376.00
ethereum
Ethereum (ETH) $ 1,796.78
tether
Tether (USDT) $ 0.999213
bnb
BNB (BNB) $ 576.01
usd-coin
USDC (USDC) $ 0.999793
xrp
XRP (XRP) $ 1.12
solana
Solana (SOL) $ 79.43
tron
TRON (TRX) $ 0.330002
figure-heloc
Figure Heloc (FIGR_HELOC) $ 1.00
staked-ether
Lido Staked Ether (STETH) $ 2,265.05

Pin It on Pinterest

Are you sure want to unlock this post?
Unlock left : 0
Are you sure want to cancel subscription?