Summary
Between 2026-05-11 20:19 UTC and 22:56 UTC, an attacker used a compromised npm publish token to publish 18 malicious versions of @beproduct/nestjs-auth (0.1.2 through 0.1.19). The packages contained payloads from the Mini Shai-Hulud npm supply-chain worm campaign described by Aikido Security.
npm Security removed the malicious versions from the registry shortly after publication, but anyone who ran npm install @beproduct/nestjs-auth resolving to any version in the affected range during that window executed the malicious postinstall script and is potentially compromised.
Version 0.1.20 is a clean republish from the original 0.1.1 source tree.
Indicators of compromise
| Type | Value |
|---|---|
| File name (payload) | tanstack_runner.js, router_init.js, router_runtime.js |
| SHA-256 (tanstack_runner.js) | 2ec78d556d696e208927cc503d48e4b5eb56b31abc2870c2ed2e98d6be27fc96 |
| SHA-256 (router_init.js) | ab4fcadaec49c03278063dd269ea5eef82d24f2124a8e15d7b90f2fa8601266c |
| Exfil endpoint | filev2.getsession.org |
| Cloud metadata probe | 169.254.169.254/latest/meta-data/iam/security-credentials/ |
| npm token endpoint | registry.npmjs.org/-/npm/v1/tokens |
| Vault probe | vault.svc.cluster.local:8200 |
| IDE hook pattern | .claude/settings.json SessionStart hook + .vscode/tasks.json runOn: "folderOpen" running node .claude/setup.mjs or node .vscode/setup.mjs |
Mitigation
If you installed any version in the range >=0.1.2 <=0.1.19:
- Remove the package and clean the npm cache:
npm uninstall @beproduct/nestjs-auth npm cache clean --force - Install the clean version:
npm install @beproduct/[email protected] - Rotate every credential present in the install environment, including:
- All npm publish tokens (
https://www.npmjs.com/settings/<you>/tokens) - All GitHub PATs and OAuth tokens (
https://github.com/settings/applications+https://github.com/settings/tokens) - AWS access keys
- HashiCorp Vault tokens
- Any other secret that was in env vars or config files at install time
- All npm publish tokens (
- Scan affected hosts for the indicators of compromise above. If any are found, treat the host as compromised and reimage.
- Check committed repository history for unexpected additions in
.claude/or.vscode/directories, the worm is known to commitsetup.mjs+ hook configs to PR branches via automated agent runtimes.
Timeline (UTC)
| Time | Event |
|---|---|
| 2026-05-11 20:19:43 | First malicious version (0.1.2) published |
| 2026-05-11 22:56:39 | Final malicious version (0.1.19) published, 18 versions in 2h37m |
| 2026-05-12 ~14:12 | npm Security removes the malicious versions from the registry |
| 2026-05-13 | BeProduct discovers the incident via Aikido's public disclosure |
| 2026-05-14 | Compromised npm publish token revoked; BeProduct GitHub OAuth credentials rotated |
| 2026-05-14 | Clean release 0.1.20 published; this advisory filed |
Root cause
The compromised npm publish token was harvested by a Mini-Shai-Hulud-infected transitive dependency in an automated GitHub coding-agent runtime that had read access to the NPM_TOKEN GitHub Actions secret for an unrelated repository under the same npm publisher account. The publish itself was performed by the attacker against the public npm registry; the source repository for this package was not modified by the attacker.
References
- https://www.aikido.dev/blog/mini-shai-hulud-is-back-tanstack-compromised
- https://www.aikido.dev/blog/checklist-github-actions
Impact
The postinstall payload attempted to harvest:
- npm tokens (from
~/.npmrc) - GitHub personal access tokens, OAuth tokens (
gho_*), and Actions OIDC tokens - AWS credentials (from environment variables and
~/.aws/credentials) - HashiCorp Vault tokens
- Other secrets present in environment variables
Exfiltration target: https://filev2.getsession.org. The worm also wrote persistence artefacts (tanstack_runner.js, router_init.js, setup.mjs, plus IDE-hook configurations in .claude/ and .vscode/) into the developer's working tree where the malicious install ran.
CVE-2026-46412 has a CVSS score of 10.0 (Critical). The vector is network-reachable, no privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. No fixed version is listed yet, so configuration controls and monitoring matter more in the interim.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Remediation advice
Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
Frequently Asked Questions
- What is CVE-2026-46412? CVE-2026-46412 is a critical-severity security vulnerability in @beproduct/nestjs-auth (npm), affecting versions >= 0.1.2, <= 0.1.19. No fixed version is listed yet.
- How severe is CVE-2026-46412? CVE-2026-46412 has a CVSS score of 10.0 (Critical). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
- Which versions of @beproduct/nestjs-auth are affected by CVE-2026-46412? @beproduct/nestjs-auth (npm) versions >= 0.1.2, <= 0.1.19 is affected.
- Is there a fix for CVE-2026-46412? No fixed version is listed for CVE-2026-46412 yet. Monitor the advisory for updates and apply mitigations in the interim.
- Is CVE-2026-46412 exploitable, and should I be worried? Whether CVE-2026-46412 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether CVE-2026-46412 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.