Saturday, July 4, 2026
Catatonic Times
No Result
View All Result
  • Home
  • Crypto Updates
  • Bitcoin
  • Ethereum
  • Altcoin
  • Blockchain
  • NFT
  • Regulations
  • Analysis
  • Web3
  • More
    • Metaverse
    • Crypto Exchanges
    • DeFi
    • Scam Alert
  • Home
  • Crypto Updates
  • Bitcoin
  • Ethereum
  • Altcoin
  • Blockchain
  • NFT
  • Regulations
  • Analysis
  • Web3
  • More
    • Metaverse
    • Crypto Exchanges
    • DeFi
    • Scam Alert
No Result
View All Result
Catatonic Times
No Result
View All Result

GitHub Worm Hits npm Packages With 16M Downloads

by Catatonic Times
May 20, 2026
in Bitcoin
Reading Time: 4 mins read
0 0
A A
0
Home Bitcoin
Share on FacebookShare on Twitter


Key Takeaways

Mini Shai-Hulud exploited GitHub Actions on Could 19, compromising 300+ npm packages throughout 16M weekly downloads.The malware installs a dead-man’s change that wipes the developer’s machine if the stolen npm token is revoked.GitHub responded Could 20 with staged publishing, bulk OIDC onboarding, and a plan to deprecate legacy npm tokens.

Mini Shai-Hulud Exploits GitHub Actions to Hit 16 Million Weekly Downloads

The Mini Shai-Hulud marketing campaign, attributed to the risk group Crew PCP, doesn’t work the best way most provide chain assaults do as a result of, moderately than stealing a developer’s credentials and publishing instantly, the attacker forks a goal repository on GitHub, opens a pull request that triggers a `pull_request_target` workflow.

This poisons the GitHub Actions cache with a malicious pnpm retailer, and from that time, the contaminated packages carry legitimate signed certificates and go SLSA provenance checks, making them seem utterly clear to plain safety tooling.

Picture supply: X

On Could 19, the most recent wave struck the AntV information visualization ecosystem as attackers gained entry to a compromised maintainer account within the @atool namespace and revealed greater than 300 malicious bundle variations throughout 323 packages in a 22-minute automated burst.

Among the many affected packages is echarts-for-react, a React wrapper for Apache Echarts with roughly 1.1 million weekly downloads. The collective weekly obtain rely throughout all affected packages on this wave is estimated at round 16 million.

Essentially the most alarming technical element is what occurs if a developer tries to intervene. The malware installs a dead-man’s change, i.e., a shell script that polls GitHub’s API each 60 seconds to test whether or not the npm token it created has been revoked. That token carries the outline “IfYouRevokeThisTokenItWillWipeTheComputerOfTheOwner,” which, if revoked by a developer, instantly wipes the contaminated machine’s house listing.

The token additionally steals credentials from GitHub, AWS, Azure, GCP, Kubernetes, Hashi Corp Vault, and over 90 developer device configurations earlier than spreading laterally throughout linked cloud infrastructure.

One Assault, A number of Casualties

The marketing campaign concurrently hit the Python Package deal Index (PyPI) as three malicious variations of Microsoft’s official durabletask Python SDK had been revealed on Could 19, silently downloading and executing a 28 KB credential-stealing payload (able to transferring throughout AWS, Azure, and GCP environments after preliminary execution).

GitHub responded on Could 20 with an announcement outlining three core adjustments to npm publishing, specifically bulk OIDC onboarding to assist organizations migrate a whole bunch of packages to trusted publishing at scale, expanded OIDC supplier assist past GitHub Actions and Gitlab, and a brand new staged publishing mannequin that provides maintainers a evaluate window earlier than packages go dwell, requiring multi-factor authentication (MFA) approval.

GitHub Worm Hits npm Packages With 16M Downloads
Picture supply: X

The corporate additionally plans to deprecate legacy traditional tokens, migrate customers to FIDO-based 2FA, and disallow token-based publishing by default. Within the earlier wave of the marketing campaign in September 2025, GitHub eliminated over 500 compromised packages from the npm registry

Blockchain safety agency Slowmist had raised an early warning on Could 14 after flagging three malicious variations of node-ipc, a bundle with 822,000 weekly downloads, as a part of the identical marketing campaign.

Builders utilizing any of the flagged packages have been suggested to audit dependency timber instantly, rotate all credentials with out revoking the malicious token first, and test indicators of compromise revealed by Snyk, Wiz, Socket.dev, and Step Safety.



Source link

Tags: 16MDownloadsGitHubHitsnpmPackagesWorm
Previous Post

Dogecoin Eyes Breakout as DOGE Nears $0.118 Fibonacci Barrier Dogecoin Eyes Breakout as DOGE Nears $0.118 Fibonacci Barrier

Next Post

Nvidia, Retail Earnings on Watch

Related Posts

Gold Rally Sparks Fresh Doubts About the Federal Reserve’s Next Move
Bitcoin

Gold Rally Sparks Fresh Doubts About the Federal Reserve’s Next Move

July 4, 2026
Robinhood Earn Adds 7% USDG Yield Offer As Stablecoin Competition Heats Up
Bitcoin

Robinhood Earn Adds 7% USDG Yield Offer As Stablecoin Competition Heats Up

July 3, 2026
MEXC SpaceX Derivatives Volume Shows Appetite For Private-Market Exposure
Bitcoin

MEXC SpaceX Derivatives Volume Shows Appetite For Private-Market Exposure

July 4, 2026
Autheo Pitches Decentralized Operating System For AI Agents And Blockchain
Bitcoin

Autheo Pitches Decentralized Operating System For AI Agents And Blockchain

July 3, 2026
MEXC Lists Ondo Yield Asset As Tokenized Treasury Demand Grows
Bitcoin

MEXC Lists Ondo Yield Asset As Tokenized Treasury Demand Grows

July 4, 2026
Trump Defends .4 Billion Crypto Profits From 2025
Bitcoin

Trump Defends $1.4 Billion Crypto Profits From 2025

July 3, 2026
Next Post
Nvidia, Retail Earnings on Watch

Nvidia, Retail Earnings on Watch

the US and China are in a Crypto Space Race

the US and China are in a Crypto Space Race

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Catatonic Times

Stay ahead in the cryptocurrency world with Catatonic Times. Get real-time updates, expert analyses, and in-depth blockchain news tailored for investors, enthusiasts, and innovators.

Categories

  • Altcoin
  • Analysis
  • Bitcoin
  • Blockchain
  • Crypto Exchanges
  • Crypto Updates
  • DeFi
  • Ethereum
  • Metaverse
  • NFT
  • Regulations
  • Scam Alert
  • Uncategorized
  • Web3

Latest Updates

  • Crypto exchanges are selling stock options and tokenized stocks but users may not own what they think
  • Gold Rally Sparks Fresh Doubts About the Federal Reserve’s Next Move
  • What Can It Do Instead of Selling BTC?
  • About Us
  • Advertise with Us
  • Disclaimer
  • Privacy Policy
  • DMCA
  • Cookie Privacy Policy
  • Terms and Conditions
  • Contact Us

Copyright © 2024 Catatonic Times.
Catatonic Times is not responsible for the content of external sites.

Welcome Back!

Login to your account below

Forgotten Password?

Retrieve your password

Please enter your username or email address to reset your password.

Log In
No Result
View All Result
  • Home
  • Crypto Updates
  • Bitcoin
  • Ethereum
  • Altcoin
  • Blockchain
  • NFT
  • Regulations
  • Analysis
  • Web3
  • More
    • Metaverse
    • Crypto Exchanges
    • DeFi
    • Scam Alert

Copyright © 2024 Catatonic Times.
Catatonic Times is not responsible for the content of external sites.