SlowMist: High-Risk npm Worm “Mini Shai-Hulud” Detected, Capable of Stealing CI/CD Keys and Cryptocurrency Wallet Information

According to monitoring by MistEye, the threat intelligence monitoring system operated by blockchain security firm SlowMist (@SlowMist_Team), a highly sophisticated npm worm named “Mini Shai-Hulud” is spreading via well-known developer projects including TanStack, UiPath, and DraftLab. Attackers have hijacked GitHub credentials to publish malicious packages disguised as legitimate updates. These packages contain a hidden script—<code>router_init.js</code>—that executes silently within CI/CD environments such as GitHub Actions, specifically designed to steal CI/CD secrets, cloud infrastructure credentials, and cryptocurrency wallet information. Data exfiltration is conducted using GitHub’s own infrastructure. SlowMist has already shared this threat intelligence (IOC) with its clients. It recommends that projects using the affected packages immediately audit their CI/CD pipelines for the presence of <code>router_init.js</code>, rotate all exposed GitHub, cloud service, and cryptocurrency credentials, and continuously monitor development environments for anomalous background activity.