--- title: "Complex NPM Worm Targets Developer Projects" type: "News" locale: "en" url: "https://longbridge.com/en/news/286055865.md" description: "A sophisticated npm worm named 'Mini Shai-Hulud' is spreading through developer projects like TanStack and UiPath. Detected by SlowMist's MistEye, the worm hijacks GitHub credentials to release malicious packages containing a hidden script, router_init.js, which operates in CI/CD environments. It aims to steal CI/CD keys, cloud infrastructure keys, and cryptocurrency wallet information. SlowMist advises affected projects to check for the script, rotate exposed credentials, and monitor for unusual activities in their development environments." datetime: "2026-05-12T07:43:43.000Z" locales: - [zh-CN](https://longbridge.com/zh-CN/news/286055865.md) - [en](https://longbridge.com/en/news/286055865.md) - [zh-HK](https://longbridge.com/zh-HK/news/286055865.md) --- # Complex NPM Worm Targets Developer Projects A sophisticated npm worm named 'Mini Shai-Hulud' is spreading through well-known developer projects such as TanStack, UiPath, and DraftLab, according to ChainCatcher. The threat monitoring system MistEye, operated by blockchain security firm SlowMist, detected the worm. Attackers are hijacking GitHub credentials to release malicious software packages disguised as legitimate updates. These packages contain a hidden script, router\_init.js, which runs silently in CI/CD environments like GitHub Actions. The worm is designed to steal CI/CD keys, cloud infrastructure keys, and cryptocurrency wallet information, using GitHub's infrastructure for data exfiltration. SlowMist has shared the threat intelligence with its clients, advising projects using the affected packages to check their CI/CD pipelines for the presence of the router\_init.js file. They recommend rotating all exposed GitHub, cloud service, and cryptocurrency credentials and continuously monitoring for unusual background activities in the development environment. ### Related Stocks - [PATH.US](https://longbridge.com/en/quote/PATH.US.md) ## Related News & Research - [US cyber agency CISA exposed reams of passwords and cloud keys to the open web](https://longbridge.com/en/news/286937105.md) - [Crypto isn't dead; it's just that it's made way for AI to produce talent.](https://longbridge.com/en/news/286781619.md) - [Microsoft (MSFT) Faces GitHub AI Crisis as OpenAI's Codex and Rivals Catch Up](https://longbridge.com/en/news/286802171.md) - [In-depth analysis of the Shai-Hulud malware: Is open source a recipe for disaster?](https://longbridge.com/en/news/286230902.md) - [Microsoft sees major investor turnover amid AI boom](https://longbridge.com/en/news/287003396.md)