Skip to main content
Emerging ThreatsMalware & Ransomware

Mini Shai-Hulud Worm Targets AntV Ecosystem with Coordinated npm Package Attack

Software development workspace with laptop, notes, and monitor displaying lines of code in a neutral-colored room with…

"The operation was not only built to spread, but also to slow down analysis," Avital Harel, security research lead at Upwind, said after a one‑hour surge of malicious npm publishes tied to the AntV ecosystem.

Scale and timeline of the May 19 AntV wave

Socket's Threat Research Team reports the event began at about 01:56 UTC on May 19 and, in roughly an hour, pushed 639 malicious versions across 323 unique npm packages. The burst formed one of the largest single‑registry waves associated with the broader Mini Shai‑Hulud campaign. Microsoft, which earlier published Defender guidance for Mini Shai‑Hulud, posted updates from its own investigation via X on Tuesday, May 19.

Several high‑download dependencies were affected, including echarts‑for‑react, size‑sensor, @antv/scale, and timeago.js. Socket noted that the compromised maintainer account — "atool" — had publish rights to more than 500 packages, amplifying the reach of the single‑hour operation.

Technical delivery: preinstall hooks and an obfuscated Bun bundle

Each malicious version added a preinstall hook to package.json that executed a 498 KB obfuscated Bun bundle. According to the analysis, that payload harvested cloud credentials, CI/CD tokens, SSH keys, Kubernetes service account tokens and local password manager vaults.

Exfiltration was performed by creating public GitHub repositories using stolen tokens. Those repositories employed Dune universe terminology for names and contained descriptions that included a reversed marker reading "Shai‑Hulud: Here We Go Again," a distinct telemetry signal used by defenders to identify compromises.

Trusted‑repo hosting via imposter commits

The AntV wave reused a payload‑delivery technique observed in earlier waves: most malicious versions injected an optionalDependencies entry that pointed to orphan commits planted in an unrelated but trusted repository, antvis/G2. Attackers forged commit authorship to match a real maintainer of that project to discourage scrutiny.

That technique exploits two mechanics described in the analysis: GitHub's storage of commits in a shared object pool across a repository's fork network, and npm's github: resolver fetching by commit hash without checking which fork contains the commit. As Isaac Evans, founder and CEO of Semgrep, put it, "A package you have trusted for years can suddenly become the delivery mechanism." Socket characterizes the tradecraft as consistent with a "high‑volume npm compromise pattern involving coordinated malicious publishes."

Attribution, scope across ecosystems, and campaign signals

Socket's work places the AntV wave within a wider set of supply‑chain incursions. Across all waves, the company has tracked 1,055 compromised versions across 502 unique packages spanning npm, PyPI and Composer. StepSecurity has logged more than 2,500 GitHub repositories containing campaign markers and attributes the broader activity to a financially motivated cluster it calls TeamPCP.

The Dune‑themed repository names and the reversed‑marker descriptions are recurrent campaign markers that defenders are using to identify repositories created with stolen tokens. That naming pattern has become part of the forensic footprint available to incident responders and researchers.

What this means for technologists, open‑source maintainers, and enterprises

  • Technologists and security teams: Snyk advises treating any secret accessible during installation as compromised, explicitly naming organization‑scoped GitHub Actions secrets and OIDC tokens. Recommended actions include pinning dependencies to versions published before May 19 and rotating all credentials exposed to affected build environments.
  • Open‑source maintainers: The attack demonstrates how a single compromised maintainer account with broad publish privileges can propagate malicious code across many packages quickly. The use of forged authorship on commits in trusted repositories illustrates a practical vector for supply‑chain delivery that maintainers and repository administrators must watch for.
  • Enterprises and procurement leaders: Organizations relying on high‑download dependencies in the AntV ecosystem should audit builds for unexpected preinstall hooks, rotate exposed secrets, and review GitHub activity for unauthorized repository creation that matches the campaign's Dune‑themed naming and reversed description marker.

The AntV wave reaffirms two concrete realities for defenders: the speed at which a single compromised maintainer can poison a large dependency surface, and the degree to which attackers will layer obfuscation and trusted‑repo tricks to delay analysis. Socket, Microsoft, Snyk and other responders have published indicators and mitigation guidance; the immediate defensive steps they recommend — pinning pre‑May‑19 versions, credential rotation, and auditing for Dune‑themed repositories bearing the reversed "Shai‑Hulud: Here We Go Again" marker — give incident response teams explicit actions to contain exposure and begin recovery.

Original story