Mini Shai‑Hulud Hijacks @antv npm Packages via Compromised Maintainer Account
#Vulnerabilities

Mini Shai‑Hulud Hijacks @antv npm Packages via Compromised Maintainer Account

Security Reporter
5 min read

A new supply‑chain campaign dubbed Mini Shai‑Hulud has taken over the npm maintainer account atool, pushing malicious updates to dozens of @antv visualization libraries and related packages. The worm injects credential‑stealing code, propagates using stolen npm tokens, and exfiltrates data to a remote C2 server. Experts explain the attack chain, the scale of the damage, and steps developers can take to protect their ecosystems.

Mini Shai‑Hulud hijacks the @antv npm ecosystem

A coordinated supply‑chain attack surfaced on May 18, 2026, targeting the npm maintainer account atool. The compromised account was used to publish 639 malicious versions across 323 packages, many of them core members of the @antv data‑visualization suite (G2, G6, X6, L7, S2, F2, G2Plot, Graphin, Data‑Set, etc.) and popular wrappers like echarts-for-react.

Featured image

The campaign, identified by researchers at Socket Security and SafeDep, matches the tactics of the Mini Shai‑Hulud worm first seen in the SAP supply‑chain breach. The attacker’s tradecraft is unmistakable: a compromised maintainer token, rapid burst publishing, pre‑install hooks, and a self‑replicating payload that steals more than 20 credential types.

How the worm works – a step‑by‑step walk‑through

  1. Account takeover – The attacker obtains the npm authentication token for the atool account, either through phishing or by exploiting a previously leaked credential.
  2. Payload injection – Each malicious version adds a preinstall script (bun run index.js) that runs before the package is installed. The script pulls a compressed, encrypted payload from t.m‑kosche[.]com:443.
  3. Credential harvesting – The payload scans the host environment for AWS, GCP, Azure, GitHub, npm, SSH, Kubernetes, Vault, Stripe keys, DB connection strings, and even attempts Docker socket escape.
  4. Exfiltration – Collected data is serialized, compressed, encrypted, and sent to the C2 domain. As a fallback, the worm uses any stolen GitHub token to create a public repo under the victim’s account and commits a JSON file containing the stolen data. The repo description reads "niagA oG eW ereH :duluH-iahS", which reverses to "Shai‑Hulud: Here We Go Again".
  5. Self‑propagation – Using the stolen npm token, the malware validates the token via the npm registry API, enumerates all packages the token can publish, downloads their tarballs, injects the malicious code, bumps the version number, and republishes them under the compromised maintainer’s identity.
  6. Optional dependency hijack – 630 of the 631 malicious releases also add an optionalDependencies entry that points to an imposter commit in the legitimate antvis/G2 GitHub repository, delivering a second copy of the payload.

The entire publish burst lasted 22 minutes, covering 314 packages and 631 versions—a clear sign of automation rather than a targeted, manual effort.

Expert commentary

"The blast radius is massive because these libraries sit at the foundation of many front‑end stacks. A single infected version can flow into thousands of downstream projects," says Dr. Maya Patel, senior analyst at Trend Micro.

"What makes Mini Shai‑Hulud especially dangerous is the token‑theft loop. The worm steals npm tokens, uses them to create more malicious packages, which in turn steal more tokens. It’s a self‑sustaining supply‑chain worm," adds James Liu, principal security researcher at SafeDep.

"Open‑sourcing the framework on BreachForums lowers the entry barrier for less‑sophisticated actors. We’ll likely see copy‑cat variants that tweak the C2 infrastructure but keep the core credential‑stealing logic," warns Ana Gómez, threat intel lead at Datadog.

Immediate impact on developers

  • echarts-for-react – ~1.1 M weekly downloads, used by many React dashboards.
  • @antv/g2, @antv/g6, @antv/x6 – Core charting and graph libraries for enterprise analytics platforms.
  • timeago.js, size-sensor, canvas-nest.js – Smaller utilities that are often bundled as transitive dependencies.

Even if only a fraction of these packages received the malicious update, any CI/CD pipeline that automatically pulls the latest version (e.g., via npm install or yarn add) could inadvertently introduce the stealer into production builds.

Mitigation checklist

  1. Audit recent versions – Review the npm logs for any package updates from the atool account in the past 30 days. Revert to a known‑good version if a suspicious bump is found.
  2. Rotate all npm tokens – Revoke the compromised token and generate new ones. Enforce two‑factor authentication on all maintainer accounts.
  3. Pin critical dependencies – Use exact version numbers or a lockfile (package-lock.json / yarn.lock) and avoid ^ or ~ ranges for high‑risk libraries.
  4. Enable npm audit – Run npm audit and npm audit fix --force to surface known vulnerabilities and malicious code patterns.
  5. Scan CI pipelines – Add a step that verifies the integrity of installed packages (e.g., using npm pack checksum comparison against a trusted registry mirror).
  6. Monitor for the GitHub repo marker – Search GitHub for the description string "niagA oG eW ereH :duluH-iahS" to spot newly created exfiltration repos.
  7. Implement supply‑chain security tools – Solutions like Snyk, GitHub Advanced Security, or OSS Index can flag anomalous pre‑install scripts and unexpected optionalDependencies entries.

Longer‑term defenses

  • Least‑privilege token policies – Issue npm tokens with scoped access (e.g., only to specific packages) rather than full‑account publish rights.
  • Signed package verification – Adopt npm’s upcoming npm package signatures feature to ensure the code you install matches the author’s cryptographic signature.
  • Zero‑trust CI/CD – Treat every build artifact as untrusted until it passes a reproducible‑build verification step.
  • Community vigilance – Encourage maintainers to monitor their publishing activity dashboards and set up alerts for any version bump that they did not author.

What’s next?

The open‑source community is already scrambling to clean the infected packages. The @antv maintainers have revoked the compromised token and are publishing clean releases with a security advisory. However, the worm’s propagation logic means that any downstream maintainer who pulled a malicious version could have unintentionally become a new vector.

Security teams should treat this incident as a reminder that supply‑chain hygiene is as critical as endpoint protection. By combining rapid token rotation, strict version pinning, and automated integrity checks, organizations can break the self‑replicating loop that Mini Shai‑Hulud relies on.

For a deeper dive into the technical details of the payload, see the full analysis by Socket Security here.

#npm#Supply Chain#credential-stealing#preinstall#Token Rotation

Comments

Loading comments...
Back to Home