Mini Shai-Hulud Exploits AntV npm Packages via Compromised Maintainer Account
Cybersecurity experts have identified a new software supply chain attack targeting npm packages within the @antv ecosystem, marking the latest development in the ongoing Mini Shai-Hulud campaign.
The attack specifically compromises packages associated with the npm maintainer account ‘atool,’ notably affecting ‘echarts-for-react,’ a widely utilized React wrapper for Apache ECharts, which boasts approximately 1.1 million weekly downloads.
The list of compromised packages includes several @antv packages such as @antv/g2, @antv/g6, @antv/x6, @antv/l7, @antv/s2, @antv/f2, @antv/g, @antv/g2plot, @antv/graphin, and @antv/data-set. Additionally, related packages outside the @antv namespace, including echarts-for-react, timeago.js, size-sensor, and canvas-nest.js, have also been affected.
The attack methodology mirrors previous Mini Shai-Hulud incidents, where compromised maintainer accounts are exploited to rapidly distribute trojanized versions of packages.
This development underscores the persistent threat posed by the Mini Shai-Hulud campaign, which continues to infiltrate the software supply chain by embedding credential-stealing code into popular development tools across various open-source registries.
The potential impact is significant due to the widespread use of the affected packages in data visualization, graphing, mapping, charting, and React component ecosystems. Even if only a subset of these packages received malicious updates, the popularity of the ecosystem creates substantial downstream exposure for organizations that automatically integrate new dependency versions.
The attacker has published 639 malicious versions across 323 unique packages, including 558 versions across 279 unique @antv packages. The malicious payload is designed to harvest over 20 types of credentials, including those for Amazon Web Services, Google Cloud, Microsoft Azure, GitHub, npm, SSH, Kubernetes, Vault, Stripe, and database connection strings. It also attempts to escape Docker containers via the host socket. This stealer is identical to the Mini Shai-Hulud payload used in the SAP compromise.
The collected data is serialized, compressed, encrypted, and exfiltrated to the domain t.m-kosche[.]com:443. As a fallback, the malware uses the stolen GitHub token to create a public repository under the victim’s account, committing the data in a JSON file. These repositories feature the description niagA oG eW ereH :duluH-iahS, which reverses to Shai-Hulud: Here We Go Again. As of now, there are over 2,500 such repositories on GitHub.
These repositories are created using GitHub tokens stolen from compromised CI/CD environments. The sheer volume, over two thousand repositories, indicates a significant number of unique environments whose credentials were successfully exfiltrated. If your GitHub token was among those stolen, the attacker has used it to create at least one of these repositories under an account they control.
The malware also includes an npm propagation mechanism that abuses stolen npm tokens to validate them through the npm registry API, enumerate packages maintained by the token owner, download package tarballs, inject the malicious payload, add a preinstall hook, increase the package versions, and republish them using the compromised maintainer’s identity.
The attack employs two execution paths. Each compromised version adds a preinstall hook (bun run index.js). Additionally, 630 of the 637 malicious versions inject an optionalDependencies entry pointing to imposter commits that deliver a second copy of the payload via the legitimate antvis/G2 GitHub repository.
The rapid publication of 637 malicious versions across 317 packages within a 22-minute burst, all containing an identical obfuscated payload, indicates an automated, large-scale exfiltration using a stolen token, rather than a gradual or targeted operation.
A notable feature in the latest payload version is a Sigstore attestation pipeline, allowing the attacker to sign artifacts with legitimate Sigstore certificates when running in CI environments using a newly minted OIDC token. This Supply-chain Levels for Software Artifacts (SLSA) provenance forgery makes a malicious version indistinguishable from a legitimate release.
The certificate subject reflects the identity of the CI runner whose OIDC token the worm minted, a legitimate identity that did not authorize the publish. The attestation proves where the package was built but does not prove the build was authorized.
The self-replicating Mini Shai-Hulud campaign is attributed to a financially motivated threat actor known as TeamPCP. Recently, the campaign has entered a more aggressive phase after TeamPCP released the entire source code for other threat actors to use as part of a supply chain attack contest announced in partnership with BreachForums.
The open-sourcing of a production offensive framework is unusual for an active campaign. It lowers the barrier for other actors to adopt TeamPCP’s techniques, including sophisticated methods like OIDC token abuse, provenance forgery, and AI tool persistence hooks.
Since then, an unknown threat actor has uploaded four malicious npm packages, one of which contains a near-verbatim copy of the Shai-Hulud worm with its own command-and-control infrastructure, indicating that cloned versions of the worm may infest open-source ecosystems.
This copycat wave complicates attribution efforts, while the attacks continue to facilitate credential theft and open the door for further exploitation. The incident demonstrates how compromising trusted tools within enterprise networks can be abused as delivery vehicles for malware. The campaign’s danger lies in its ability to feed one compromise into the next, resulting in an ever-expanding blast radius as more packages are hacked.
This campaign is built for credential theft at scale. Organizations using GitHub Actions, PyPI, Docker Hub, GHCR, VS Code extensions, and cloud-connected CI runners are directly exposed to this risk.
Users
Article X Post:
Hashtags:
Article Key Phrase:
Category: Security News
