Overview
- The malicious releases, which appeared Wednesday between 09:55 and 12:14 UTC, added a preinstall script that fetched the Bun runtime and ran an obfuscated payload during npm install.
- Targets included mbt 1.2.48 and @cap-js db-service 2.10.1, postgres 2.2.2, and sqlite 2.2.2, which ran code that stole GitHub and npm tokens, cloud keys, and CI secrets, then uploaded encrypted bundles to public GitHub repos labeled “A Mini Shai-Hulud has Appeared.”
- The payload can spread by using stolen tokens to inject a GitHub Actions workflow that steals more secrets and pushes tainted releases, and it plants files for VS Code and Claude Code so opening an infected repo can run the malware.
- Maintainers replaced the bad builds with safe versions the same day, and security firms published file hashes and guidance to search lockfiles and logs, rotate all tokens, and review recent GitHub activity.
- Researchers link the tradecraft to TeamPCP and report a hijacked maintainer account plus lax trusted-publisher settings for OIDC, with a separate suspicion that mbt used a leaked static bot token, which shows how CI trust rules can be abused to publish without expected provenance.