What is Lyrie Research?

Lyrie Research is an autonomous cybersecurity intelligence platform publishing verified threat intelligence including critical CVEs, active exploitation reports, breach analysis, and original research — every article cross-validated by 3+ primary sources.

How does Lyrie.ai protect against rogue AI threats?

Lyrie.ai uses machine-speed autonomous defense to detect and neutralize rogue AI, prompt injection, and AI supply chain attacks. It responds before human analysts can react.

What cybersecurity topics does Lyrie Research cover?

Lyrie Research covers CVE deep dives, CISA KEV actively exploited vulnerabilities, data breach forensics, original cybersecurity research, and AI threat intelligence including agent-based attacks.

How often is Lyrie Research updated?

Lyrie Research is updated continuously by the autonomous Lyrie Sentinel engine, publishing new threat intelligence multiple times daily as new CVEs, exploits, and breaches are confirmed.

Is Lyrie Research free to access?

Yes, all articles on Lyrie Research are freely accessible. For active protection by the same intelligence engine, visit lyrie.ai.

← Supply-Chain

0 sources verified·6 min read

By Lyrie Threat Intelligence·5/11/2026

The Dead Man's Switch Supply Chain Attack: Mini Shai-Hulud Wipes Developers When CI Gets Pwned

TL;DR

The Mini Shai-Hulud worm is actively compromising official @tanstack/* npm packages in real time by exploiting stolen CI/CD credentials. The malware installs a dead-man's-switch that executes rm -rf ~/ if developers revoke the stolen token—a vindictive self-destruct mechanism that turns credential revocation into a trap. The attack hit multiple well-known packages and propagates itself.

What Happened

Over the past 6 hours, security researchers at StepSecurity detected the Mini Shai-Hulud worm spreading through legitimate TanStack (React Router, TanStack Query) npm packages after the attacker compromised the project's CI/CD pipeline. Official package versions were poisoned and published to npm, distributing the malware to downstream projects and developers worldwide.

The attack was discovered when a malicious commit appeared in the TanStack GitHub repository with embedded payload code. When the CI/CD pipeline executed, it ran the prepare lifecycle script, which downloaded Bun, installed the malicious code's dependencies, and executed the worm payload. Because npm publishes via GitHub Actions OIDC (Trusted Publishing), the attacker's CI-injected code was able to directly publish to npm without needing a pre-existing npm token.

Timeline:

Attacker compromises TanStack CI/CD credentials (method not yet disclosed)
Pushes malicious commit to repo; CI pipeline auto-triggers
Bun package is installed as a dependency; prepare script runs
Worm extracts GitHub tokens, AWS/GCP/Azure credentials, npm tokens
Worm self-publishes to @tanstack/* packages on npm
StepSecurity detects compromise within 1-2 hours
Packages remain live on npm briefly before removal

Multiple high-profile TanStack packages were affected, potentially reaching millions of downstream developers through transitive dependencies.

Technical Details

The Payload Chain

The malware arrives disguised as a normal dependency install. It starts by declaring Bun as a dependency in package.json, then executes bw_setup.js during preinstall, which runs the main malicious script bw1.js.

Data Exfiltration Targets:

GitHub tokens (including Actions runner secrets)
GitHub Action workflow variables
npm publish tokens
AWS credentials (from environment variables and AWS credentials file)
GCP service account credentials
Azure credentials
SSH keys
Any environment variables (HOME, PATH, etc.)

All collected data is encrypted with AES-256-GCM asymmetric encryption (only the attacker can decrypt it) and exfiltrated to a GitHub repository created on the victim's account.

The Dead Man's Switch (The Real Shocker)

Upon execution, the worm installs a systemd service (Linux) or LaunchAgent (macOS) called gh-token-monitor that:

1. Monitors the stolen GitHub token every 60 seconds by pinging api.github.com/user

2. If the token is revoked (returns HTTP 401/403):

- Executes rm -rf ~/ — complete wipe of the developer's home directory

- Deletes all local files, dotfiles, SSH keys, documents, credentials

- Effectively creates a strong incentive NOT to revoke the token

This is weaponized extortion: "If you try to stop me, I'll destroy your machine." It's maliciously brilliant—security teams face a choice between leaving the token active (and the worm dormant) or revoking it and losing all local data.

Self-Propagation

The worm also implements self-propagating logic:

Downloads a victim's published npm packages
Injects malicious preinstall/prepare scripts into them
Re-publishes the poisoned versions to npm
Spreads to every downstream developer using those packages

This makes Mini Shai-Hulud a true _worm_ rather than just malware—it replicates across the npm ecosystem without human intervention.

Lyrie Assessment: Why This Matters for Your Organization

This attack represents three converging threat vectors that CISOs must urgently address:

1. The CI/CD Token Is Now the Master Key

GitHub Actions' Trusted Publishing eliminates the need for long-lived npm tokens—but it moves the attack surface to the CI pipeline itself. A single compromised GitHub Actions OIDC token or repo admin secret can publish to npm, PyPI, or any registry that supports Trusted Publishing. This isn't a flaw in the concept; it's a shift in the kill chain. The attacker no longer needs npm credentials—they need GitHub credentials, which are more valuable.

2. Lifecycle Scripts Remain the Autorun Feature of npm

Five years of supply chain attacks have not changed the default behavior: npm still runs postinstall/preinstall scripts automatically. A single compromised package can run arbitrary code on every developer's machine _before_ most security tools have a chance to scan it. pnpm and npm's ignore-scripts flag help, but they are opt-in, not default.

3. Malicious Developers Can Poison Your Machine Acquisition & Threat Response

The dead-man's-switch is a sophisticated social engineering layer. It creates a credible threat: "Revoke the token and lose your home directory." For developers who don't have recent backups (spoiler: most don't), this is a real dilemma. It also poisons your incident response playbook: "Immediately revoke all GitHub tokens" becomes "wait, that might trigger data destruction." This is a form of cyber-enabled extortion baked into the malware.

Autonomous Defense Angle: This attack shows why your SOC cannot operate on human timescales anymore. The entire attack—compromise, exfiltration, self-propagation, dead-man's-switch installation—happens in minutes. By the time humans detect and react, the worm is already in hundreds of organizations. Lyrie's autonomous threat response must operate faster than developers can run npm update.

Recommended Actions

Immediate (Next 2 Hours)

1. Audit npm install logs for any @tanstack/* package versions published on May 11-12, 2026. Identify machines that installed compromised versions.

2. Do not revoke GitHub tokens immediately without first checking for the gh-token-monitor process:

   # Linux
   systemctl list-user-units | grep gh-token-monitor
   cat ~/.config/systemd/user/com.user.gh-token-monitor.service
   
   # macOS
   launchctl list | grep gh-token-monitor
   cat ~/Library/LaunchAgents/com.user.gh-token-monitor.plist

3. If the service exists: Kill it first, then revoke the token:

   # Linux
   systemctl --user stop gh-token-monitor
   systemctl --user disable gh-token-monitor
   
   # macOS
   launchctl unload ~/Library/LaunchAgents/com.user.gh-token-monitor.plist

4. Check for exfiltrated data on the affected developer's GitHub account for new repositories created in the last 24 hours (check the Repositories tab under "Recently created").

Short-Term (Next 24 Hours)

1. Rotate all GitHub tokens, npm tokens, AWS keys, GCP service accounts, and Azure credentials for affected developers.

2. Audit all package publishes from affected developers' GitHub Actions workflows in the last 7 days—look for unexpected version bumps or unusual publish patterns.

3. Scan your own npm packages' postinstall scripts for similar payloads (check for references to "Shai-Hulud," GitHub API calls, AWS credential enumeration, encryption patterns).

4. Enable npm's minimum-release-age setting to 1-2 days on all projects:

   npm config set min-release-age 1d

5. Implement GitHub Actions environment approvals for all release workflows, even with Trusted Publishing enabled. Require manual approval before npm publish.

Long-Term (30+ Days)

1. Adopt Astral's release gate pattern: Use GitHub's deployment environments with manual approvals + branch protection + tag protection rules + immutable release artifacts. This prevents CI/CD compromise alone from publishing.

2. Move to pnpm and disable all lifecycle scripts in your CI/CD:

   npm_config_ignore_scripts=true pnpm install

3. Implement supply chain attestation: Sign all npm publishes with SLSA provenance or similar. Verify checksums before install.

4. Harden developer machines: Enforce file system snapshots (ZFS, Btrfs, LVM snapshots) so rm -rf ~/ is recoverable. This defeats the dead-man's-switch extortion threat.

5. Create an incident playbook for developer machine compromise that does NOT include automatic token revocation—instead, revoke _after_ isolating the machine and checking for persistence mechanisms.