Neonet Blog
Go back

Is Your Dev Machine Infected? Detecting the Mini Shai-Hulud Worm

Edit page

The “Mini Shai-Hulud” supply chain attack, orchestrated by the threat actor group TeamPCP, is one of the most widespread automated malware campaigns of 2026. Peaking between April 29 and May 1, the worm compromised over 1,800 packages across npm, PyPI, and Composer.

This worm is designed to bypass standard Node.js monitoring by leveraging a standalone Bun runtime to execute its payload. If you performed a package installation or build during the last two weeks, your development environment may have been targeted for credential exfiltration.

Here is how to audit your local system using a few terminal commands.

1. Scan for the “Bun” Loader Signature

The malware uses a specific loader to trigger its 11MB payload. This command searches your node_modules for the specific string “Bun” used in malicious setup.mjs scripts. The -w flag ensures it only matches the standalone word “Bun” to ignore legitimate “Bundle” strings found in build tools like Rollup or Astro.

grep -rw "Bun" . --include="*.js" --include="*.mjs"

2. Locate Malicious Payload Files

Before exfiltrating AWS keys, SSH keys, and tokens, the worm creates local cache files. Use the find command to check for these specific filenames in your project directories or home folder.

find . -type f \( -name "Cloud.json" -o -name "Environment.json" -o -name "router_runtime.js" \)

3. Audit Your Lockfiles

The worm targeted specific versions of high-traffic dependencies. If your pnpm-lock.yaml, package-lock.json, or requirements.txt contains these specific versions, you likely pulled an infected dependency during the active window.

# For pnpm or npm users
grep -E "[email protected]|[email protected]|[email protected]|[email protected]" pnpm-lock.yaml

4. Check Your GitHub for “The Signature”

The primary exfiltration method involves using stolen GitHub tokens to create public repositories on the victim’s own account.

Immediate Action: Log into your GitHub profile and check your repository list for any new repos with the description:

“A Mini Shai-Hulud has Appeared”

Recovery Steps

If any of these commands return a match, your environment is compromised:

  1. Isolation: Disconnect the machine from the network immediately.
  2. Credential Revocation: Delete and rotate all GitHub Personal Access Tokens (PATs), AWS Access Keys, and NPM tokens.
  3. Environment Cleanup: Clear your global package manager cache and delete the affected project’s node_modules.
  4. Key Rotation: Generate new SSH keys and update secrets in local .env files.
Edit page
Share this post on:
Share this post via WhatsApp Share this post on Facebook Share this post on X Share this post via Telegram Share this post on Pinterest Share this post via email
Next Post
Hello World in Kotlin