MalwareUsed by 1 actor

gh-token-monitor

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details

TeamPCP

A second process, gh-token-monitor, checks stolen GitHub tokens every 60 seconds — alerting the attacker the moment one is revoked.

via cyberscoopcyberscoop.com

MITRE ATT&CK

Techniques & procedures

11 distinct techniques documented for this family, organized by ATT&CK tactic.

Execution

2 techniques

T1053Scheduled Task/JobEvidence2

It also deploys a dead man's switch : a gh-token-monitor service (systemd on Linux / LaunchAgent on macOS) that polls api.github.com/user with the stolen token every 60 seconds.

T1053.006Systemd TimersEvidence1

The monitor then polls hxxps[:]//api[.]github[.]com/user every 60 seconds using a stolen GitHub token. If the API returns any 40x response—indicating the token has been revoked—the monitor executes a configured handler, which in this variant decodes to rm -rf ~/ .

Persistence

6 techniques

T1053Scheduled Task/JobEvidence2

It also deploys a dead man's switch : a gh-token-monitor service (systemd on Linux / LaunchAgent on macOS) that polls api.github.com/user with the stolen token every 60 seconds.

T1053.006Systemd TimersEvidence1

T1543Create or Modify System ProcessEvidence2

Install a background service named "gh-token-monitor"

T1543.001Launch AgentEvidence3

on macOS, it can install com.user.kitty-monitor.plist ... ~/Library/LaunchAgents/com.user.kitty-monitor.plist ... ~/Library/LaunchAgents/com.user.gh-token-monitor.plist

T1543.002Systemd ServiceEvidence4

On Linux, it can install a user-level kitty-monitor.service ... Stop and remove kitty-monitor persistence on Linux ... ~/.config/systemd/user/kitty-monitor.service

T1547.015Login ItemsEvidence1

On macOS, unload gh-token-monitor with launchctl bootout ... ~/Library/LaunchAgents/com.user.gh-token-monitor.plist ... On macOS, unload kitty-monitor ... ~/Library/LaunchAgents/com.user.kitty-monitor.plist

Privilege Escalation

6 techniques

T1053Scheduled Task/JobEvidence2

It also deploys a dead man's switch : a gh-token-monitor service (systemd on Linux / LaunchAgent on macOS) that polls api.github.com/user with the stolen token every 60 seconds.

T1053.006Systemd TimersEvidence1

T1543Create or Modify System ProcessEvidence2

Install a background service named "gh-token-monitor"

T1543.001Launch AgentEvidence3

on macOS, it can install com.user.kitty-monitor.plist ... ~/Library/LaunchAgents/com.user.kitty-monitor.plist ... ~/Library/LaunchAgents/com.user.gh-token-monitor.plist

T1543.002Systemd ServiceEvidence4

On Linux, it can install a user-level kitty-monitor.service ... Stop and remove kitty-monitor persistence on Linux ... ~/.config/systemd/user/kitty-monitor.service

T1547.015Login ItemsEvidence1

Stealth

1 technique

T1070Indicator RemovalEvidence1

If the token is revoked (HTTP 40x), it executes rm -rf ~/.

Credential Access

2 techniques

T1555Credentials from Password StoresEvidence1

Large-scale credential and secret leakage, including CI/CD, cloud API keys, SSH keys, and more, is probable for any environment exposed.

T1649Steal or Forge Authentication CertificatesEvidence1

...using GitHub Actions cache poisoning and token exfiltration techniques... to steal CI/CD, cloud, and developer credentials.

Exfiltration

1 technique

T1041Exfiltration Over C2 ChannelEvidence1

Attacker C2 infrastructure includes custom domains. Session messaging, and GitHub repo exfiltration, with redundant failovers ensures persistence and stealth.

Impact

1 technique

T1485Data DestructionEvidence5

Install a background service named "gh-token-monitor" that acts as a wiper by removing all data ("rm -rf ~/; rm -rf ~/Documents") if the stolen GitHub token is revoked by the developer.

ACTIVITY FEED

Recent activity

3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

3 SOURCESView more in app

cyberscoopNews

May 19, 2026

Mini Shai-Hulud returns, compromising hundreds of npm packages | CyberScoop

A monitoring component that continuously checks validity of stolen GitHub tokens and alerts the attacker when a token is revoked, enabling near-real-time awareness of incident response actions.

jfrog researchNews

May 19, 2026

Shai-Hulud Returns: npm Worm hits @antv in latest ongoing campaign - JFrog Security Research

Destructive dead-man-switch component of Shai-Hulud that monitors validity of stolen GitHub tokens and can execute destructive commands such as rm -rf on the victim host if the token is invalidated.

infosecurity magazine comNews

May 12, 2026

Mini Shai-Hulud Hits TanStack npm Packages - Infosecurity Magazine

A daemon observed on developer machines during the campaign that monitors stolen GitHub tokens, polls GitHub periodically, and may attempt destructive cleanup by wiping the user's home directory if a monitored token is revoked.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping11

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.