Socket researchers found "639 malicious versions across 323 unique packages in about one hour," a torrent of poisoned npm artifacts that swept through widely used libraries and left supply chains exposed.
Affected packages and ecosystems
The bulk of the wave targeted the @antv ecosystem — libraries for charting, graph visualization, flowcharting and mapping — but the assault also touched popular packages outside that namespace. Socket and other researchers identified impacted libraries including echarts-for-react, @antv/g2, @antv/g6, @antv/x6, @antv/l7, @antv/g2plot, @antv/graphin, timeago.js, size-sensor and canvas-nest.js.
Endor Labs noted that some of the compromised packages such as timeago.js, size-sensor and jest-canvas-mock had not received legitimate updates for a long time and were therefore less likely to have OIDC-based trusted publishing configured. The report calls out jest-canvas-mock specifically as a package with 10 million monthly downloads that has been dormant for about three years.
Researchers say the Shai-Hulud campaigns began last September and continue to affect multiple ecosystems — primarily npm, with incidents also seen on PyPI and Composer to a lesser degree.
Malicious payload and targeted credentials
The latest wave injected a heavily obfuscated root-level index.js payload that attempts to steal a broad array of secrets. According to the reporting, the malware searches for credentials for GitHub, npm, cloud providers, Kubernetes, Vault, Docker, databases and SSH keys. It focuses on developer workstations and CI/CD environments, explicitly naming GitHub Actions, GitLab CI, Jenkins, Azure DevOps, CircleCI, Vercel, Netlify and other build platforms as targets.
To complicate detection and takedown, exfiltration goes over the Session P2P network; GitHub is used as a fallback when publishing tokens are available, and stolen data has been published in repositories under victims' accounts when tokens were found.
The payload also prepares stolen material to evade network inspection: data is serialized, Gzip-compressed, AES-256-GCM-encrypted and RSA-OAEP-wrapped before transmission.
Self-propagation, token theft and Sigstore provenance abuse
The campaign is not limited to one-off theft. When it obtains npm tokens, the malware validates those tokens, enumerates packages owned by the victim, downloads package tarballs, injects the malicious payload and republishes the infected packages with bumped version numbers — enabling ongoing spread through legitimate update channels.
Endor Labs called out a key new capability in this variant: the ability to generate valid Sigstore provenance attestations. By abusing OIDC tokens from compromised CI environments and submitting them to Fulcio and Rekor, the attacker can make malicious npm packages appear legitimately signed and pass standard provenance verification checks despite containing credential-stealing malware.
Socket says the AntV payloads differ technically from earlier Mini Shai-Hulud artifacts — “the AntV sample uses a root-level index.js, a different primary C2 endpoint, and a smaller payload body. However, the core operational model is consistent.”
Observed scale on GitHub and curated detection lists
Socket researchers maintain a running list of package artifacts affected by all Shai-Hulud attacks; that list has grown to more than 1,000 entries. Socket also found roughly 1,900 publicly visible GitHub repositories matching the campaign’s markers, while a separate report from Aikido reports the attacker has published more than 2,700 rogue repositories on GitHub using stolen tokens.
Because Shai-Hulud’s code was recently leaked on GitHub by the TeamPCP threat group and the leaked toolset has already been used in operations, the vendors warn that attribution of this new campaign is more difficult. Socket notes the new variant differs technically from earlier payloads but retains the same operational characteristics.
What this means for developers, CI/CD teams, and open-source maintainers
- Developers and security teams: If you downloaded any of the infected npm packages, uninstall them immediately and rotate all secrets within reach of the infected systems, per the recommendations reported by researchers.
- CI/CD operators and platform owners: Watch for abuse of OIDC tokens and for automated creation of repositories and uploads using compromised GitHub credentials; researchers observed stolen data being posted to victim accounts when tokens were available.
- Open-source maintainers and package consumers: Dormant packages without recent updates are at elevated risk because they are less likely to have OIDC trusted publishing enabled. Check npm tokens, consider enabling OIDC-based publishing, and cross-reference installed packages against the lists published by Socket and others.
The technical sophistication — encrypted, compressed exfiltration, Sigstore provenance abuse and automated republishing — means defenders must treat this as more than a transient nuisance. The immediate, concrete steps researchers recommend are simple and urgent: remove infected packages and rotate secrets. Beyond that, the growing lists of affected artifacts and the multiple GitHub repositories linked to stolen tokens provide starting points for cleanup and incident response.
Original reporting: https://www.bleepingcomputer.com/news/security/new-shai-hulud-malware-wave-compromises-600-npm-packages/




