@beproduct/nestjs-auth CVE-2026-46412
CRITICALSeverity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionGitHub Advisory
Summary
Between 2026-05-11 20:19 UTC and 22:56 UTC, an attacker used a compromised npm publish token to publish 18 malicious versions of @beproduct/nestjs-auth (0.1.2 through 0.1.19). The packages contained payloads from the Mini Shai-Hulud npm supply-chain worm campaign described by Aikido Security.
npm Security removed the malicious versions from the registry shortly after publication, but anyone who ran npm install @beproduct/nestjs-auth resolving to any version in the affected range during that window executed the malicious postinstall script and is potentially compromised.
Version 0.1.20 is a clean republish from the original 0.1.1 source tree.
Impact
The postinstall payload attempted to harvest:
- npm tokens (from
~/.npmrc) - GitHub personal access tokens, OAuth tokens (
gho_*), and Actions OIDC tokens - AWS credentials (from environment variables and
~/.aws/credentials) - HashiCorp Vault tokens
- Other secrets present in environment variables
Exfiltration target: https://filev2.getsession.org. The worm also wrote persistence artefacts (tanstack_runner.js, router_init.js, setup.mjs, plus IDE-hook configurations in .claude/ and .vscode/) into the developer's working tree where the malicious install ran.
Indicators of compromise
| Type | Value |
|---|---|
| File name (payload) | tanstack_runner.js, router_init.js, router_runtime.js |
| SHA-256 (tanstack_runner.js) | 2ec78d556d696e208927cc503d48e4b5eb56b31abc2870c2ed2e98d6be27fc96 |
| SHA-256 (router_init.js) | ab4fcadaec49c03278063dd269ea5eef82d24f2124a8e15d7b90f2fa8601266c |
| Exfil endpoint | filev2.getsession.org |
| Cloud metadata probe | 169.254.169.254/latest/meta-data/iam/security-credentials/ |
| npm token endpoint | registry.npmjs.org/-/npm/v1/tokens |
| Vault probe | vault.svc.cluster.local:8200 |
| IDE hook pattern | .claude/settings.json SessionStart hook + .vscode/tasks.json runOn: "folderOpen" running node .claude/setup.mjs or node .vscode/setup.mjs |
Mitigation
If you installed any version in the range >=0.1.2 <=0.1.19:
- Remove the package and clean the npm cache:
npm uninstall @beproduct/nestjs-auth
npm cache clean --force- Install the clean version:
npm install @beproduct/nestjs-auth@0.1.20- Rotate every credential present in the install environment, including:
- All npm publish tokens (
https://www.npmjs.com/settings/<you>/tokens) - All GitHub PATs and OAuth tokens (
https://github.com/settings/applications+https://github.com/settings/tokens) - AWS access keys
- HashiCorp Vault tokens
- Any other secret that was in env vars or config files at install time
- Scan affected hosts for the indicators of compromise above. If any are found, treat the host as compromised and reimage.
- Check committed repository history for unexpected additions in
.claude/or.vscode/directories - the worm is known to commitsetup.mjs+ hook configs to PR branches via automated agent runtimes.
Timeline (UTC)
| Time | Event |
|---|---|
| 2026-05-11 20:19:43 | First malicious version (0.1.2) published |
| 2026-05-11 22:56:39 | Final malicious version (0.1.19) published - 18 versions in 2h37m |
| 2026-05-12 ~14:12 | npm Security removes the malicious versions from the registry |
| 2026-05-13 | BeProduct discovers the incident via Aikido's public disclosure |
| 2026-05-14 | Compromised npm publish token revoked; BeProduct GitHub OAuth credentials rotated |
| 2026-05-14 | Clean release 0.1.20 published; this advisory filed |
Root cause
The compromised npm publish token was harvested by a Mini-Shai-Hulud-infected transitive dependency in an automated GitHub coding-agent runtime that had read access to the NPM_TOKEN GitHub Actions secret for an unrelated repository under the same npm publisher account. The publish itself was performed by the attacker against the public npm registry; the source repository for this package was not modified by the attacker.
References
- https://www.aikido.dev/blog/mini-shai-hulud-is-back-tanstack-compromised
- https://www.aikido.dev/blog/checklist-github-actions
AnalysisAI
Supply-chain compromise of the npm package @beproduct/nestjs-auth (versions 0.1.2 through 0.1.19) delivered the Mini Shai-Hulud worm payload via a malicious postinstall script, harvesting npm, GitHub, AWS, and HashiCorp Vault credentials from any developer or CI host that ran npm install during a 2h37m publication window on 2026-05-11. Confirmed actively exploited during that window via an attacker-controlled npm publish token; clean version 0.1.20 republishes the original 0.1.1 source tree. CVSS 10.0 reflects the unauthenticated, network-driven supply-chain delivery and scope change into the install environment.
Technical ContextAI
The vulnerability is a malicious code insertion (CWE-506, Embedded Malicious Code) into a Node.js library distributed via the public npm registry under pkg:npm/@beproduct_nestjs-auth. The attack abuses npm's lifecycle hooks - specifically the postinstall script - which executes arbitrary Node.js code on the install host before the developer has loaded any of the package's API. The payload is part of the Mini Shai-Hulud worm family documented by Aikido Security, which probes the AWS instance metadata endpoint (169.254.169.254), the npm tokens API (registry.npmjs.org/-/npm/v1/tokens), and Vault cluster endpoints (vault.svc.cluster.local:8200), then exfiltrates to filev2.getsession.org. It also writes persistence artefacts (tanstack_runner.js, router_init.js, setup.mjs) and hooks into developer IDE configurations via .claude/settings.json SessionStart hooks and .vscode/tasks.json folderOpen tasks to re-execute on subsequent IDE sessions.
RemediationAI
Vendor-released patch: @beproduct/nestjs-auth 0.1.20 - uninstall any version in the affected range (npm uninstall @beproduct/nestjs-auth), purge the npm cache (npm cache clean --force), then install 0.1.20 explicitly. Treat any host that installed a malicious version as compromised: rotate every credential that was reachable from the install environment, including npm publish tokens at https://www.npmjs.com/settings/<you>/tokens, GitHub PATs and OAuth tokens at https://github.com/settings/tokens and https://github.com/settings/applications, AWS access keys (and revoke any IAM role credentials the EC2 metadata endpoint could have leaked), and HashiCorp Vault tokens. Scan filesystems and committed repository history for the IoC files tanstack_runner.js, router_init.js, router_runtime.js, setup.mjs, and unexpected additions under .claude/ or .vscode/ - the worm is known to commit these into PR branches via automated agent runtimes. If any IoCs are found, reimage rather than clean in place because IDE-hook persistence can re-execute on the next folder open. Compensating controls for environments that cannot immediately patch: pin lockfiles to 0.1.1 or 0.1.20, set npm install --ignore-scripts in CI to suppress postinstall execution (side effect: legitimate native-module builds may fail and need manual rebuild), and segregate publish tokens so a single compromised runtime cannot publish across the whole publisher namespace. See https://github.com/advisories/GHSA-6xwp-cp5h-q856 and https://www.aikido.dev/blog/mini-shai-hulud-is-back-tanstack-compromised.
FortiOS and FortiProxy contain an authentication bypass via the Node.js websocket module allowing unauthenticated remote
Eval injection vulnerability in the internals.batch function in lib/batch.js in the bassmaster plugin before 1.5.2 for t
Flowise version 3.0.5 contains a remote code execution vulnerability in the CustomMCP node. The mcpServerConfig paramete
Node.js 8.5.0 before 8.6.0 allows remote attackers to access unintended files, because a change to ".." handling was inc
An issue was discovered in the node-serialize package 0.0.4 for Node.js. Rated critical severity (CVSS 9.8), this vulner
Directory traversal vulnerability in the st module before 0.2.5 for Node.js allows remote attackers to read arbitrary fi
Multiple SQL injection vulnerabilities in the Manage Accounts page in the AccountManagement.asmx service in the Solarwin
The JS-YAML module before 2.0.5 for Node.js parses input without properly considering the unsafe !!js/function tag, whic
Directory traversal vulnerability in lib/app/index.js in Geddy before 13.0.8 for Node.js allows remote attackers to read
Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio
Eval injection vulnerability in index.js in the syntax-error package before 1.1.1 for Node.js 0.10.x, as used in IBM Rat
The HTTP server in Node.js 0.10.x before 0.10.21 and 0.8.x before 0.8.26 allows remote attackers to cause a denial of se
Same weakness CWE-506 – Embedded Malicious Code
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-6xwp-cp5h-q856