CVE-2026-46412

Name of the Vulnerable Software and Affected Versions @beproduct/nestjs-auth versions 0.1.2 through 0.1.19

Description An attacker used a compromised npm publish token to distribute malicious versions of the package containing payloads from the Mini Shai-Hulud npm supply-chain worm campaign. The malicious postinstall script attempts to harvest sensitive data, including npm tokens from ~/.npmrc, GitHub personal access tokens, OAuth tokens (gho *), Actions OIDC tokens, AWS credentials from environment variables and ~/.aws/credentials, HashiCorp Vault tokens, and other secrets in environment variables. The harvested data is exfiltrated to the endpoint 'https://filev2.getsession.org'. Additionally, the worm establishes persistence by writing files such as tanstack runner.js, router init.js, and setup.mjs into the developer's working tree and configuring IDE hooks in .claude/ and .vscode/ directories.

Recommendations For versions 0.1.2 through 0.1.19, uninstall the package, clean the npm cache, and install version 0.1.20. Rotate all npm publish tokens, GitHub PATs, OAuth tokens, AWS access keys, HashiCorp Vault tokens, and any other secrets present in the environment during installation. Scan affected hosts for persistence files tanstack runner.js, router init.js, and router runtime.js, and reimage the host if found. Review repository history for unauthorized additions in .claude/ or .vscode/ directories.