SlowMist: An npm worm virus spreads through projects such as TanStack, stealing encrypted wallets and cloud keys.

CoinFeed reported on May 12th that, according to SlowMist monitoring, a highly sophisticated npm worm named "Mini Shai-Hulud" is spreading through trusted developer projects such as TanStack, UiPath, and DraftLab. Attackers hijack GitHub credentials and release seemingly legitimate malicious package updates. This malware injects a stealthy `router_init.js` script, running silently in the CI/CD environment, specifically designed to steal sensitive data such as CI/CD keys, cloud infrastructure keys, and cryptocurrency wallets, and then uses the GitHub infrastructure to leak this data. SlowMist recommends that users audit their CI/CD pipelines for the `router_init.js` file, rotate all exposed credentials, and closely monitor their development environments.