Skip to main content
Emerging ThreatsSupply Chain Attacks

Mini Shai-Hulud Campaign Targets npm Ecosystem with Malicious AntV Packages

Software development workspace with a computer screen displaying a blurred graph, surrounded by cables and development tools.

"The potential blast radius is significant because the affected publishing account is connected to widely used packages across data visualization, graphing, mapping, charting, and React component ecosystems," Socket said.

Scale and targets: hundreds of packages, one popular React wrapper

Researchers report a large, fast-moving supply chain operation that has injected malicious updates into the @antv ecosystem and related npm packages. Socket said the attacker published 639 malicious versions across 323 unique packages, including 558 versions across 279 unique @antv packages. The campaign touched widely used modules such as @antv/g2, @antv/g6, @antv/x6, @antv/l7, @antv/s2, @antv/f2, @antv/g, @antv/g2plot, @antv/graphin, and @antv/data-set, and also struck packages outside the @antv namespace, notably echarts-for-react — a React wrapper for Apache ECharts with roughly 1.1 million weekly downloads — along with timeago.js, size-sensor, canvas-nest.js, and others.

How the attack propagated: a compromised maintainer account and automated republishes

Multiple analyst teams described the same tradecraft: the attacker compromised an npm maintainer account (atool) and used the account to republish trojanized package versions. SafeDep explained the npm propagation flow in detail: the malware validates stolen npm tokens via the registry API, enumerates packages maintained by the token owner, downloads package tarballs, injects the malicious payload, inserts a preinstall hook, increments package versions, and republishes the modified packages under the compromised identity. SafeDep added that each compromised version adds a preinstall hook (bun run index.js) and that 630 of the 631 malicious versions also inject an optionalDependencies entry that delivers a second copy of the payload via the legitimate antvis/G2 GitHub repository.

Payload and exfiltration: credential-stealing at scale

The payload is a credential stealer designed to harvest more than 20 credential types. Socket and other analysts list targets including Amazon Web Services, Google Cloud, Microsoft Azure, GitHub, npm, SSH keys, Kubernetes credentials, Vault secrets, Stripe data, database connection strings, and attempts to escape Docker containers by accessing the host socket. Collected data is serialized, compressed, encrypted, and exfiltrated to the domain ("t.m-kosche[.]com:443"). As a fallback, the malware uses any stolen GitHub token to create a public repository in the victim's account and commit the data as a JSON file; those repositories carry the description "niagA oG eW ereH :duluH-iahS," which reverses to "Shai-Hulud: Here We Go Again." Analysts report more than 2,200 GitHub repositories now containing that marker.

Timeline, attribution, and the open-sourcing of the worm

SafeDep flagged an especially rapid publishing window: "The 22-minute publish burst across 314 packages (631 versions), with an identical obfuscated payload, rules out a gradual or targeted operation. This was automated, rapid exfiltration using a stolen token." Analysts connect the code to the Mini Shai-Hulud campaign; Socket noted the stealer is identical to the payload used in a prior SAP compromise. Datadog said the campaign appears to be the work of a financially motivated actor identified as TeamPCP, and that the operation entered a new phase when TeamPCP released the entire source code in conjunction with a supply chain attack contest announced in partnership with BreachForums. Datadog warned that open-sourcing a production offensive framework "lowers the barrier for other actors to adopt TeamPCP's playbook including the more sophisticated techniques like OIDC token abuse, provenance forgery, and AI tool persistence hooks." Following that release, an unknown threat actor uploaded four malicious npm packages — one containing a near-verbatim copy of the Shai‑Hulud worm with its own command-and-control infrastructure — a development that Datadog and others say complicates attribution and raises the risk of clone waves.

What this means for technologists, enterprises, and open-source maintainers

  • Technologists and security teams: expect credential-theft techniques aimed at cloud and CI tooling to be a primary concern; the campaign specifically targets AWS, Google Cloud, Azure, GitHub, npm tokens, Kubernetes, Vault, and container hosts.
  • Affected enterprises and procurement leaders: organizations that automatically pull dependency updates face meaningful downstream exposure because even a subset of compromised packages in a popular ecosystem can propagate broadly — Socket warned of a "meaningful downstream exposure" tied to the popularity of the package ecosystem.
  • Open-source maintainers: the incident underlines the risk of compromised maintainer accounts and token abuse; SafeDep and Socket describe an automated cycle that enumerates packages maintained by a token and republishes trojanized tarballs under the original maintainer identity.

The Mini Shai‑Hulud wave demonstrates a cascade effect: one compromised account feeds further compromises, and the public release of the offensive framework appears to have born immediate imitators. As Datadog and other analysts point out, that combination — a self-replicating worm, credential harvesting across cloud and developer tooling, and public distribution of the offensive code — materially lowers the work factor for subsequent actors. The visible markers are already many: hundreds of malicious versions, thousands of flagged repositories, and multiple copycat uploads. Whether defenders can halt attribution‑complicating clone waves before the malware reaches further into enterprise build and deployment pipelines is the urgent question left by this episode.

Source: The Hacker News