When a trusted software component suddenly turns malicious, the damage ripples through thousands of organizations before anyone notices something's wrong. The Mini Shai-Hulud campaign demonstrates this reality by compromising npm packages that power data visualization dashboards, React applications, and charting libraries used across industries. (Source: The Hacker News)
The attack's reach extends far beyond individual developers. Organizations relying on Apache ECharts through the echarts-for-react wrapper face immediate exposure, with approximately 1.1 million weekly downloads placing countless production systems at risk. Financial services firms using these packages for trading dashboards, healthcare organizations displaying patient metrics, and logistics companies tracking shipments all depend on these compromised components.
What makes this incident particularly damaging is the trust relationship it exploits. The compromised atool maintainer account had legitimate publishing rights to packages within the @antv ecosystem - a collection of data visualization and graphing tools widely deployed in enterprise environments. When attackers gained control of this account, they inherited the ability to push updates that systems automatically trust and install.
The blast radius encompasses multiple critical business functions. Data visualization packages like @antv/g2 and @antv/g6 power executive dashboards and operational monitoring systems. Mapping libraries such as @antv/l7 drive location-based services and supply chain tracking. React component ecosystems affected by the compromise integrate directly into customer-facing applications and internal tools. Each compromised package represents hundreds or thousands of downstream applications that automatically pulled the malicious updates.
The financial motivation behind TeamPCP's operation translates into specific business risks. The malware harvests credentials from Amazon Web Services, Google Cloud, and Microsoft Azure environments, potentially exposing cloud infrastructure costs, customer data repositories, and proprietary algorithms. Database connection strings stolen by the malware provide direct access to production databases. Stripe API keys compromise payment processing systems. GitHub and npm tokens enable further supply chain attacks using your organization's identity.
Traditional malware requires finding a way into your network - phishing emails, unpatched servers, or compromised credentials. Supply chain attacks like Mini Shai-Hulud bypass these defenses entirely because the malicious code arrives through trusted update channels. Your security team approved these packages months or years ago. Your developers reference them in production code. Your automated build systems pull their updates without question.
Key Insight: Traditional malware requires finding a way into your network - phishing emails, unpatched servers, or compromised credentials.
The campaign's self-replicating nature amplifies the damage exponentially. Each compromised environment becomes a launching pad for attacking others. The malware uses stolen npm tokens to identify other packages maintained by the victim, injects itself into those packages, and republishes them - spreading the infection to that maintainer's entire user base. This propagation mechanism transformed 323 unique packages into 639 malicious versions in just 22 minutes.
The recent open-sourcing of the Shai-Hulud framework source code fundamentally changes the threat landscape. What started as a single threat actor's campaign has become a toolkit available to any malicious actor with basic technical skills. The appearance of copycat attacks using near-identical code but different command-and-control infrastructure confirms that multiple groups now possess this capability. Every organization using npm packages - which includes virtually every modern software company - faces potential compromise from an expanding pool of attackers armed with proven, sophisticated tools.
Mini Shai-Hulud Supply Chain Attack Impact
Attack Chain: From Account Takeover to Malware Distribution
The attack began with the compromise of the npm maintainer account atool, which provided the attackers with legitimate publishing credentials to modify packages across the @antv ecosystem. This single account takeover enabled the threat actors to push malicious updates to packages that collectively serve millions of weekly downloads.
Once the attackers gained control, they executed a rapid-fire publishing campaign that deployed 639 malicious versions across 323 unique packages within just 22 minutes. The automated nature of this burst - publishing at a rate of nearly 30 versions per minute - indicates the use of pre-written scripts designed to maximize distribution before detection.
The compromised packages span critical visualization and development tools including @antv/g2, @antv/g6, @antv/x6, @antv/l7, @antv/s2, @antv/f2, @antv/g, @antv/g2plot, @antv/graphin, and @antv/data-set. Beyond the @antv namespace, the attackers also poisoned timeago.js, size-sensor, and canvas-nest.js - packages that integrate deeply into web applications for time formatting, responsive design, and visual effects.
The injection mechanism leveraged two parallel execution paths to ensure payload delivery. First, each compromised version added a preinstall hook that executed bun run index.js during package installation. Additionally, 630 of the 637 malicious versions injected an optionalDependencies entry pointing to imposter commits within the legitimate antvis/G2 GitHub repository, creating a secondary payload delivery channel that appeared to originate from trusted infrastructure.
The Shai-Hulud Framework payload embedded in these packages harvests over 20 credential types including AWS, Google Cloud, Microsoft Azure, GitHub, npm, SSH, Kubernetes, Vault, Stripe tokens, and database connection strings. The malware also attempts Docker container escape via the host socket, potentially breaking out of containerized environments to compromise the underlying infrastructure.
After credential theft, the malware serializes, compresses, and encrypts the stolen data before exfiltrating it to t.m-kosche[.]com:443. As a fallback mechanism, the payload uses stolen GitHub tokens to create public repositories under victims' accounts, committing the harvested credentials as JSON files with the distinctive description "niagA oG eW ereH :duluH-iahS" (Shai-Hulud: Here We Go Again reversed).
The self-propagating nature of the attack creates an exponential expansion pattern. Using stolen npm tokens, the malware validates credentials through the npm registry API, enumerates packages maintained by the compromised token owner, downloads their package tarballs, injects its payload, and republishes them under the legitimate maintainer's identity. This worm-like behavior means each successful compromise seeds multiple new infections.
A sophisticated evasion technique emerged in the latest payload version: Sigstore attestation pipeline abuse. When running in CI environments, the malware mints new OIDC tokens to sign artifacts with legitimate Sigstore certificates, making malicious releases cryptographically indistinguishable from authorized builds. The certificate subject reflects the CI runner's legitimate identity, even though that identity never authorized the publish operation.
The attack's automation and scale - publishing hundreds of versions in minutes with identical obfuscated payloads - demonstrates pre-planned infrastructure designed for maximum impact before security teams could respond. This wasn't opportunistic; it was a coordinated strike against the software supply chain's trust model.
npm Supply Chain Attack: @antv Ecosystem Compromise
preinstall hooks and fake GitHub dependenciesDetecting Compromised Packages in Your Dependencies
Organizations running affected packages need immediate visibility into their dependency trees to identify potential compromise. The malware's sophisticated credential harvesting capabilities mean that even brief exposure could have already resulted in stolen tokens and cloud credentials.
Start by auditing your npm dependencies for the specific packages compromised in this campaign. Run npm list @antv/g2 @antv/g6 @antv/x6 @antv/l7 @antv/s2 @antv/f2 @antv/g @antv/g2plot @antv/graphin @antv/data-set echarts-for-react timeago.js size-sensor canvas-nest.js to check if any affected packages exist in your project. The malicious versions were published in a 22-minute burst, so any updates pulled during that window require immediate investigation.
Check your package-lock.json files for version changes to these packages. The attackers published 639 malicious versions across 323 unique packages, with 558 versions targeting @antv packages specifically. Search for preinstall hooks by running grep -r "preinstall.*bun run index.js" node_modules/ - this specific command pattern appears in 630 of the 637 malicious versions.
Hunt for the payload's distinctive markers in your GitHub repositories. Search for repositories containing the description "niagA oG eW ereH :duluH-iahS" or its reverse "Shai-Hulud: Here We Go Again" - over 2,500 repositories already contain this marker, created using stolen GitHub tokens. If you find this string in any repository under your organization's control, your GitHub token has been compromised and used to exfiltrate data.
The malware's network behavior provides clear detection opportunities. Monitor outbound connections to the domain t.m-kosche[.]com on port 443, which serves as the primary exfiltration endpoint. The payload serializes, compresses, and encrypts stolen credentials before transmission, so look for unusual spikes in encrypted traffic to this destination.
Examine your CI/CD logs for suspicious npm API calls that enumerate package maintainers. The malware's propagation logic validates stolen npm tokens through the registry API, then downloads package tarballs and republishes them with injected payloads. This creates a distinct pattern of API calls: token validation, package enumeration, tarball downloads, version bumps, and rapid republishing.
The malware attempts Docker container escapes through the host socket. Review container logs for attempts to access /var/run/docker.sock or similar host socket paths. The payload harvests over 20 credential types including AWS, Google Cloud, Microsoft Azure, GitHub, npm, SSH, Kubernetes, Vault, Stripe, and database connection strings - any processes attempting to read these configuration files in bulk warrant investigation.
Look for optionalDependencies entries pointing to imposter commits in legitimate repositories. The attackers injected these entries in parallel with preinstall hooks, creating dual infection vectors. The legitimate antvis/G2 GitHub repository was used to host malicious payloads through these imposter commits, making detection more challenging since the repository itself appears trustworthy.
The latest payload versions include Sigstore attestation forgery capabilities. Check your SLSA provenance records for certificates where the subject reflects a CI runner identity that shouldn't have published the package. These forged attestations make malicious releases appear legitimate, but the mismatch between the certificate subject and expected publisher reveals the compromise.
Incident Response: Immediate Actions for Affected Organizations
Security teams discovering compromised packages in production face a critical decision window where every action determines whether stolen credentials enable further breaches. The malware's ability to harvest AWS, Google Cloud, Microsoft Azure, GitHub, npm, SSH, Kubernetes, Vault, Stripe, and database connection strings means immediate credential rotation takes precedence over root cause analysis.
For DevOps and Security Teams: Begin by freezing all automated deployments that pull npm dependencies. The malware's preinstall hook executes during package installation, so any CI/CD pipeline running npm install or bun install could trigger credential theft. Disable automated builds until you've verified clean package versions.
Safe rollback requires identifying the last known good versions before the 22-minute attack window. Since the attackers published malicious updates to existing version numbers, pinning to specific versions won't protect you - you need to verify package integrity through checksum validation. Download package tarballs directly from npm registry for versions published before the compromise, extract them locally, and manually inspect the package.json for unexpected preinstall hooks or optionalDependencies entries pointing to imposter commits.
Production systems running compromised packages require surgical removal rather than simple updates. The malware's Docker container escape attempts via host socket mean containerized applications need complete rebuild from verified base images. Kill running containers, remove local images built during the compromise window, and rebuild using dependency manifests that explicitly exclude affected packages.
For Security Leadership: The presence of over 2,500 GitHub repositories containing the "niagA oG eW ereH :duluH-iahS" marker provides concrete evidence for breach notification decisions. If your organization's GitHub account created repositories with this description, the attackers successfully exfiltrated credentials and used them to establish persistence.
Regulatory notification requirements trigger when the stolen credentials provide access to regulated data. Healthcare organizations whose npm tokens could access patient data repositories face HIPAA breach notification deadlines. Financial services firms must assess whether compromised Stripe tokens or database connection strings exposed payment card data, triggering PCI DSS incident response procedures.
Communication to customers depends on whether production systems served malicious code to end users. The malware's focus on backend credential theft rather than browser-based attacks limits direct customer exposure, but stolen API keys could enable subsequent attacks against customer data.
For Individual Developers: Local development environments require thorough inspection beyond simple package updates. Check your ~/.npmrc, ~/.docker/config.json, and ~/.kube/config files for unexpected modifications - the malware reads these configuration files to harvest authentication tokens.
Verify your GitHub account hasn't created unexpected public repositories by searching for repositories you own containing "Shai-Hulud" in the description. The malware's fallback exfiltration mechanism creates these repositories when primary command-and-control communication fails, meaning their presence confirms successful credential theft from your environment.
Clean recovery requires removing all node_modules directories, clearing npm cache with npm cache clean --force, and reinstalling dependencies using a verified package-lock.json from before the compromise. The malware's npm propagation logic means any packages you maintain could have been automatically compromised using your stolen npm token - audit your published packages for unauthorized version bumps or preinstall hooks.
Preventing Future Maintainer Account Hijacking
The compromise of a single maintainer account shouldn't grant attackers the keys to an entire software ecosystem, yet the Mini Shai-Hulud campaign proves this remains a systemic vulnerability. The atool account takeover reveals how npm's current security model places extraordinary trust in individual maintainers without requiring corresponding authentication safeguards.
Key Insight: The compromise of a single maintainer account shouldn't grant attackers the keys to an entire software ecosystem, yet the Mini Shai-Hulud campaign proves this remains a systemic vulnerability.
Package maintainers control the software supply chain for millions of developers, yet many still rely on password-only authentication. The automated publishing burst that deployed malicious versions demonstrates how stolen credentials become weapons of mass distribution when maintainer accounts lack proper security controls.
npm Registry Security Gaps vs. Organizational Controls
The npm registry operates on a shared responsibility model where certain security measures require platform-level enforcement while others fall to individual organizations and maintainers. Understanding this division determines where you can take immediate action versus where industry pressure must drive change.
Platform-level changes npm should implement include mandatory two-factor authentication for packages exceeding download thresholds, time-based publishing restrictions that prevent rapid-fire version releases, and automated anomaly detection for unusual publishing patterns. The 22-minute window that saw hundreds of malicious versions published could have triggered automatic holds if velocity limits existed.
Organizations maintaining popular packages control their own authentication practices, API token management, and publishing workflows. You can implement IP whitelisting for package publishing, restrict publishing to specific CI/CD systems, and enforce hardware token requirements for maintainer accounts without waiting for npm policy changes.
Establishing Publishing Security Protocols
Package maintainers need documented security requirements that match the criticality of their software's reach. A package with 1.1 million weekly downloads deserves enterprise-grade access controls, not consumer-level password protection.
Implement mandatory two-factor authentication using hardware security keys for all maintainer accounts. SMS-based 2FA remains vulnerable to SIM swapping, while authenticator apps can be compromised through device theft. Hardware tokens provide the strongest protection against account takeover attempts.
Create dedicated publishing tokens with minimal scope and automatic expiration. The malware's npm propagation logic demonstrates how stolen tokens with broad permissions enable cascading compromises. Tokens should expire after 30 days, require explicit package scope definitions, and originate only from approved IP ranges.
Package Authenticity Verification Before Installation
The Sigstore attestation pipeline abuse shows that even cryptographic signatures can mislead when attackers control the signing process. Organizations need multi-layered verification that goes beyond trusting automated attestations.
Monitor package update frequencies and flag unusual publishing patterns. The rapid succession of 639 versions would trigger alerts in a properly configured monitoring system. Establish baseline publishing patterns for critical dependencies and investigate deviations before accepting updates.
Implement package pinning with explicit version approval workflows. Automatic dependency updates create attack windows where malicious versions slip through before detection. Pin dependencies to known-good versions and require security review for any updates to packages with elevated privileges or broad system access.
The self-replicating nature of this campaign, combined with TeamPCP's release of source code and the emergence of copycat attacks, signals that maintainer account compromise will remain a preferred attack vector. Organizations that establish robust publishing security protocols today prevent tomorrow's supply chain breaches.
Organizational Risk Assessment: Industries and Use Cases Under Threat
The Mini Shai-Hulud campaign's targeting of data visualization and charting libraries reveals a calculated strategy to infiltrate organizations at their most vulnerable point: the tools that transform raw data into business intelligence. When attackers compromise packages that power executive dashboards and operational monitoring systems, they gain visibility into an organization's most sensitive metrics and decision-making processes.
Cloud services organizations face unique exposure because their development pipelines integrate directly with the infrastructure they sell to customers. The malware's ability to harvest AWS, Google Cloud, and Microsoft Azure credentials means a single compromised developer workstation could expose not just internal systems but customer environments as well. Multi-tenant architectures amplify this risk - stolen service account credentials from a cloud provider's CI/CD pipeline could theoretically access resources across multiple customer accounts.
The payload's Docker container escape capability via the host socket represents a particularly dangerous threat for containerized cloud services. Organizations running Kubernetes clusters with compromised packages could see attackers break out of container isolation and access the underlying host systems. This escalation path transforms what appears to be application-level compromise into infrastructure-wide access.
Data visualization companies operate at the intersection of sensitive data and widespread distribution. The @antv ecosystem packages process everything from financial metrics to healthcare statistics, making them treasure troves of business intelligence. When malware infiltrates charting libraries like @antv/g2plot or @antv/s2, it gains access to the data being visualized - revenue figures, customer analytics, operational KPIs - before that information ever reaches a dashboard.
The echarts-for-react package's 1.1 million weekly downloads illustrates the scale of potential exposure. React applications using this wrapper span industries from fintech trading platforms to hospital patient monitoring systems. Each compromised installation becomes a data collection point, harvesting not just the visualized metrics but also the database connection strings used to retrieve them.
Software development organizations represent the ultimate prize because compromise here creates cascading effects downstream. The malware's npm propagation logic specifically targets this sector - using stolen npm tokens to enumerate and republish packages maintained by compromised accounts. A single infected development team could unknowingly distribute malware to their entire customer base through routine package updates.
The Sigstore attestation pipeline feature demonstrates sophisticated understanding of modern DevOps practices. By generating legitimate SLSA provenance for malicious packages, attackers make their poisoned releases indistinguishable from authorized builds. Development teams relying on attestation for supply chain security would see green checkmarks on packages actively stealing their credentials.
Authentication and deployment tool packages emerge as the highest-value targets within these sectors. The malware's focus on harvesting GitHub tokens, SSH keys, and Vault credentials shows clear prioritization of access management systems. Packages handling CI/CD operations, secret management, or deployment automation provide attackers with keys to entire development ecosystems. The creation of over 2,500 GitHub repositories using stolen tokens demonstrates how quickly compromised authentication spreads across organizations.
Database connector and API client packages represent another critical attack surface. The malware's collection of database connection strings and Stripe credentials indicates targeting of packages that bridge applications with backend services. Organizations using compromised data processing libraries risk exposing not just application data but the underlying infrastructure credentials that power their entire technology stack.
