← Back to feed
Breaking change:
[CRITICAL] GHSA-6xwp-cp5h-q856: Malicious code in @beproduct/nestjs-auth (0.1.2 through 0.1.19) — Mini Shai-Hulud worm
GitHub Security Advisory·Security·SecurityFix·5/19/2026
## Summary Between 2026-05-11 20:19 UTC and 22:56 UTC, an attacker used a compromised npm publish token to publish 18 malicious versions of `@beproduct/nestjs-auth` (0.1.2 through 0.1.19). The packages contained payloads from the **Mini Shai-Hulud** npm supply-chain worm campaign described by [Aiki
Why it matters → Apps using @beproduct/nestjs-auth will need code changes before upgrading. Review the release notes before bumping versions.
Who should care → Engineers depending on @beproduct/nestjs-auth.
@beproduct/nestjs-authanthropicaws
View original source ↗Source payload preview
{
"ghsaId": "GHSA-6xwp-cp5h-q856",
"summary": "Malicious code in @beproduct/nestjs-auth (0.1.2 through 0.1.19) — Mini Shai-Hulud worm",
"severity": "CRITICAL",
"updatedAt": "2026-05-19T20:28:08Z",
"references": [
{
"url": "https://github.com/BeProduct/beproduct-org-nestjs-auth/security/advisories/GHSA-6xwp-cp5h-q856"
},
{
"url": "https://www.aikido.dev/blog/checklist-github-actions"
},
{
"url": "https://www.aikido.dev/blog/mini-shai-hulud-is-back-tanstack-compromised"
},
{
"url": "https://github.com/advisories/GHSA-6xwp-cp5h-q856"
}
],
"description": "## Summary\n\nBetween 2026-05-11 20:19 UTC and 22:56 UTC, an attacker used a compromised npm publish token to publish 18 malicious versions of `@beproduct/nestjs-auth` (0.1
…