Hi, I'm Ionut-Cristian Florescu, an OSS maintainer whose own repositories and community were hit by the same worm campaign in early June 2026. I'm raising this as an issue rather than filing a takedown report, because a report would just get the repo disabled and possibly punish you, the victim, as it happened to me, instead of helping. I'd rather you fix it on your own terms.
A read-only, branch-tip scan of public repositories flagged this one as still containing the worm's payload on one or more branches. This may be a false positive, or you may already be mid-cleanup. If so, please ignore this, and apologies for the noise.
🔎 Where my scan flagged it here: .github/setup.js is sitting at the tip of develop, feature/MasterCrud, feature/MasterCrud-Revisi-1, feature/Temp, feature/add_organization_page, feature/main-layout, …and 5 more.
Why this matters
- The payload is a file named
.github/setup.js: a single, ~4.3 MB minified line. It does not run on its own from a normal git clone.
- It is wired to detonate when the repository is opened in an AI-assisted editor (Cursor, or VS Code / others running Claude, Gemini, Copilot agents, etc.). The triggers are hook files dropped alongside it, typically:
.claude/settings.json and .gemini/settings.json (SessionStart).cursor/rules/setup.mdc (alwaysApply).vscode/tasks.json (folderOpen)- a
test script entry in package.json
- When it runs, it harvests credentials (GitHub tokens, npm tokens, cloud keys for AWS / GCP / Azure, and more), then attempts to spread further.
- Bottom line: until it's removed, anyone who opens this repo in such an editor risks having their own credentials stolen. That includes you and anyone who clones or contributes.
How to check
Look for .github/setup.js on every branch, not just the default one, since the worm hides on feature and stale branches too. The hook files listed above are a second tell. The safe way to check is from a clone with nothing checked out, so nothing can run; that's steps 1 and 2 of the cleanup below.
How to clean it up
⚠️ Please don't blind-paste any of the commands below (or from any guide) into your shell. Read each one, make sure you understand what it does and why, and confirm it fits your repo first. Running code you don't understand is precisely how this whole mess started, so don't let the cleanup repeat the mistake.
The one rule above all: never let an affected repo run. No opening it in an AI editor, no npm install, no npm test. Do everything below from a clone with nothing checked out.
1. Clone with no checkout.
git clone --no-checkout https://github.com/<you>/<repo>.git fix
cd fix
git fetch origin '+refs/heads/*:refs/remotes/origin/*'
2. Detect by the payload file, on every branch.
git for-each-ref --format='%(refname:short)' refs/remotes/origin | while read b; do
git cat-file -e "$b:.github/setup.js" 2>/dev/null && echo "INFECTED: $b"
done
3. Back up the evidence once.
git clone --mirror https://github.com/<you>/<repo>.git evidence.git
tar czf evidence.tar.gz evidence.git
4. Remove the malicious commit from each infected branch. For this worm the bad commit is usually the branch tip, so reset the branch to its parent:
git log -1 origin/<branch> -- .github/setup.js # confirm it is the latest commit
git push --force-with-lease origin <MALICIOUS_SHA>^:refs/heads/<branch>
Reset, not git revert: a revert leaves the payload retrievable at the old commit. (If a branch has real commits on top of the malicious one, don't use this as-is; rebase just the bad commit out instead.)
5. Purge the copies you cannot see. Because of the fork network, a commit can stay reachable by its SHA after it is off every branch. Open a support ticket, give them the malicious SHAs, and ask them to garbage-collect and purge them via the sensitive-data removal process.
Then rotate anything that was exposed: personal access tokens, Actions secrets, npm tokens, cloud keys. If the repo was ever opened or run in an editor on any machine, treat those credentials as burned.
These steps are the gist; for the most up-to-date version, see my write-up: https://dev.to/icflorescu/if-the-shai-hulud-worm-reached-your-github-repos-please-read-this-1pok
More background, if you want it
I'm not affiliated with GitHub and there's nothing in this for me. I just went through it and don't want it spreading. Happy to help if you get stuck. Stay safe. 🙏
Hi, I'm Ionut-Cristian Florescu, an OSS maintainer whose own repositories and community were hit by the same worm campaign in early June 2026. I'm raising this as an issue rather than filing a takedown report, because a report would just get the repo disabled and possibly punish you, the victim, as it happened to me, instead of helping. I'd rather you fix it on your own terms.
A read-only, branch-tip scan of public repositories flagged this one as still containing the worm's payload on one or more branches. This may be a false positive, or you may already be mid-cleanup. If so, please ignore this, and apologies for the noise.
Why this matters
.github/setup.js: a single, ~4.3 MB minified line. It does not run on its own from a normalgit clone..claude/settings.jsonand.gemini/settings.json(SessionStart).cursor/rules/setup.mdc(alwaysApply).vscode/tasks.json(folderOpen)testscript entry inpackage.jsonHow to check
Look for
.github/setup.json every branch, not just the default one, since the worm hides on feature and stale branches too. The hook files listed above are a second tell. The safe way to check is from a clone with nothing checked out, so nothing can run; that's steps 1 and 2 of the cleanup below.How to clean it up
The one rule above all: never let an affected repo run. No opening it in an AI editor, no
npm install, nonpm test. Do everything below from a clone with nothing checked out.1. Clone with no checkout.
2. Detect by the payload file, on every branch.
3. Back up the evidence once.
4. Remove the malicious commit from each infected branch. For this worm the bad commit is usually the branch tip, so reset the branch to its parent:
Reset, not
git revert: a revert leaves the payload retrievable at the old commit. (If a branch has real commits on top of the malicious one, don't use this as-is; rebase just the bad commit out instead.)5. Purge the copies you cannot see. Because of the fork network, a commit can stay reachable by its SHA after it is off every branch. Open a support ticket, give them the malicious SHAs, and ask them to garbage-collect and purge them via the sensitive-data removal process.
Then rotate anything that was exposed: personal access tokens, Actions secrets, npm tokens, cloud keys. If the repo was ever opened or run in an editor on any machine, treat those credentials as burned.
These steps are the gist; for the most up-to-date version, see my write-up: https://dev.to/icflorescu/if-the-shai-hulud-worm-reached-your-github-repos-please-read-this-1pok
More background, if you want it
I'm not affiliated with GitHub and there's nothing in this for me. I just went through it and don't want it spreading. Happy to help if you get stuck. Stay safe. 🙏