GitHub worm hijacks Actions to push malicious npm packages

A self-replicating worm exploited GitHub Actions pipelines on May 19 to publish malicious npm packages across the AntV ecosystem, including echarts-for-react. The injected packages together see an estimated 16 million weekly downloads. The campaign also installed a token that triggers a destructive wipe if revoked.

Security researchers have tracked the campaign as Mini Shai-Hulud and attribute it to a group known as Team PCP. The attackers used a fork-and-pull-request approach that abused pull_request_target workflows. By opening PRs that ran with elevated permissions, they poisoned the Actions cache with a malicious pnpm store. Packages built from those workflows carried valid signatures and SLSA provenance metadata, allowing them to pass common supply-chain checks.

On May 19 the attackers gained access to a compromised maintainer account in the @atool namespace and pushed more than 300 malicious package versions across 323 packages in roughly a 22-minute automated burst. Among the affected modules was echarts-for-react, a React wrapper for Apache ECharts that records about 1.1 million weekly downloads.

The malware included a credential-theft component and a destructive dead-man’s switch. The attacker-created npm token carried the label “IfYouRevokeThisTokenItWillWipeTheComputerOfTheOwner.” The infection installed a shell script that polls GitHub’s API every 60 seconds and deletes the user’s home directory if the token is revoked. Before propagating, the code harvested credentials and configuration from GitHub, AWS, Azure, Google Cloud, Kubernetes, HashiCorp Vault and more than 90 developer tool configurations, then used those credentials to move laterally across cloud infrastructure.

The campaign also hit Python’s package index. On the same day three malicious versions of the durabletask Python SDK were published to PyPI; those packages silently downloaded and executed a compact 28 KB payload designed to steal credentials and enable lateral movement across AWS, Azure and GCP environments after initial execution.

GitHub announced a set of changes on May 20 aimed at reducing the attack surface for package publishing. The company said it will introduce staged publishing to give maintainers a review window and require multi-factor authentication approval for publishing. GitHub also plans bulk OIDC onboarding to help organizations migrate packages to OIDC-based publishing, expand OIDC provider support beyond GitHub Actions and GitLab, deprecate legacy classic tokens, migrate users to FIDO-based two-factor authentication, and disable token-based publishing by default.

Security firms flagged related activity earlier in the month. A blockchain security firm raised an alert on May 14 after identifying malicious versions of node-ipc as part of the same campaign. In a prior wave, more than 500 compromised packages were removed from the npm registry.

Developers using affected packages are advised to audit dependency trees immediately and rotate credentials carefully. Security vendors Snyk, Wiz, Socket.dev and Step Security have published indicators of compromise and further technical details. Security teams and registries are advised to move publishing workflows to OIDC-based ephemeral credentials and require strong multi-factor authentication for maintainers to reduce the risk of similar abuse.

In April, scammers used Gmail dot alias to send phishing emails to Robinhood customers.