A hijacked npm account was used to publish malicious versions of 314 packages, including size‑sensor and echarts‑for‑react. The payload harvests cloud credentials, attempts container escapes and reports to a GitHub‑hosted C2. Developers are urged to rotate secrets and audit their environments.
Shai‑Hulud resurfaces: 314 npm packages compromised after fresh account breach
On the morning of 19 May 2026 a compromised npm account unleashed a wave of malicious releases that touched 314 packages across the registry. The account, [email protected], belongs to a developer in Hangzhou, China. Within a 22‑minute window the attacker published tainted versions of popular modules such as size‑sensor, echarts‑for‑react, @antv/scale, and timeago.js.
| Package | Monthly downloads | Malicious version |
|---|---|---|
| size‑sensor | 4.2 M | 2.0.3 |
| echarts‑for‑react | 3.8 M | 1.5.2 |
| @antv/scale | 2.2 M | 0.9.1 |
| timeago.js | 1.15 M | 4.1.0 |
The most widely used package, size‑sensor, alone accounts for over four million installs per month, meaning a large slice of the JavaScript ecosystem may have pulled the infected tarball.
Malware payload
Security researcher Nicholas Carlini first reported the issue on GitHub. The malicious code follows the same template that was used to hijack SAP‑related npm packages three weeks earlier. Its main capabilities are:
- Credential harvesting – reads environment variables and scans the file system for tokens belonging to GitHub, npm, AWS, Azure, Google Cloud, Docker, Stripe and other services.
- Container escape attempts – tries to break out of Docker or other OCI runtimes by probing
/procand mounting host file systems. - Exfiltration – bundles stolen secrets and pushes them to a newly created GitHub repository that acts as a command‑and‑control (C2) beacon.
- Local injection – drops configuration files into sibling projects on the developer’s workstation. Those files are later executed by AI‑assisted coding tools such as Claude Code or OpenAI Codex, giving the attacker a second infection vector.
- Back‑door repository – a small Python script in the attacker‑controlled repo periodically pulls additional payloads and executes them, allowing the campaign to evolve without further npm releases.
The code was signed off with a terse deprecation notice on npm: "this version was published in error, please use the latest version instead". Some versions were later removed, but the brief window was enough for the package manager to cache the tarballs on CI/CD mirrors.
Response timeline
| Time (UTC) | Action |
|---|---|
| 02:12 | First malicious publish detected |
| 02:14 | Additional 313 packages updated |
| 02:35 | Issue opened on GitHub by Carlini |
| 02:45 | Account owner closes issue, marks as fixed |
| 03:00 | npm deprecates affected versions |
| 03:20 | SafeDep publishes full payload analysis |
Because the issue was closed quickly, the warning is hidden by default on GitHub. Developers need to search the closed‑issues list or consult the SafeDep report to see the details.
Mitigation checklist for affected developers
- Rotate every credential that could have been present in the build environment – API keys, tokens, SSH keys, cloud provider secrets.
- Audit npm lockfiles for the listed versions. If any appear, bump to the latest clean release and run
npm ciagain. - Search GitHub for unknown repositories owned by your organization or personal account; delete anything suspicious.
- Inspect systemd services on Linux hosts for unknown units that may have been dropped by the payload.
- Enable npm audit and consider tools like Snyk or GitHub Dependabot to catch future supply‑chain anomalies.
Maintainers who hold publishing credentials are at highest risk because the attacker can reuse stolen tokens to push further malicious releases under their namespace.
Wider supply‑chain context
The incident follows a series of supply‑chain compromises that have hit npm over the past months, including the earlier Shai‑Hulud wave reported yesterday and the SAP‑related breach. While PyPI and RubyGems have also seen malicious uploads, npm remains the most attractive target due to its sheer volume of daily downloads and the prevalence of automated CI pipelines that pull packages without manual review.
Microsoft’s GitHub division has not yet issued a detailed statement. In September 2023 a roadmap for a more secure npm supply chain was published, but the measures outlined there have not prevented the current wave.
What to watch next
- Token reuse – if the stolen token was used elsewhere (e.g., Docker Hub, private registries) attackers may launch parallel campaigns.
- New C2 repos – monitor for freshly created GitHub repositories with minimal activity that contain encoded strings or base64 blobs.
- Emerging variants – the payload template is modular; expect minor tweaks that target other cloud providers or CI tools.
Developers who rely on the affected packages should treat this as a reminder to lock down their build environments, enforce least‑privilege credentials and keep an eye on supply‑chain alerts.
For a deep dive into the payload code, see the SafeDep analysis on their GitHub page.
Comments
Please log in or register to join the discussion