600+ npm Packages Compromised in New Mini Shai-Hulud Supply Chain Attack
Cybersecurity NewsArchived May 19, 2026✓ Full text saved
A sophisticated npm supply chain campaign dubbed Mini Shai-Hulud has claimed over 600 package versions overnight, with security researchers at Socket and Endor Labs identifying 639 compromised package versions across 323 unique packages in the latest wave. The bulk of the activity targeted the @antv ecosystem, alongside packages under @lint-md, @openclaw-cn, and @starmind scopes. Malicious […] The post 600+ npm Packages Compromised in New Mini Shai-Hulud Supply Chain Attack appeared first on Cyb
Full text archived locally
✦ AI Summary· Claude Sonnet
HomeCyber Security
600+ npm Packages Compromised in New Mini Shai-Hulud Supply Chain Attack
By Guru Baran
May 19, 2026
A sophisticated npm supply chain campaign dubbed Mini Shai-Hulud has claimed over 600 package versions overnight, with security researchers at Socket and Endor Labs identifying 639 compromised package versions across 323 unique packages in the latest wave.
The bulk of the activity targeted the @antv ecosystem, alongside packages under @lint-md, @openclaw-cn, and @starmind scopes.
Malicious publish activity began at approximately 01:56 UTC on May 19, 2026, continuing until 02:56 UTC.
Socket’s detection systems flagged most activity within 6 to 12 minutes of publication, with a median detection time of 6.7 minutes.
Endor Labs independently observed 42 malicious packages between 01:39 and 02:06 UTC, tracing the campaign’s origin to two long-dormant packages: jest-canvas-mock and size-sensor, neither of which had been published in over three years.
Across the full Mini Shai-Hulud campaign tracked to date, researchers have confirmed 1,055 compromised versions across 502 unique packages, spanning npm (1,048 versions), PyPI (6 versions), and Composer (1 version).
600+ npm Packages Compromised
The injected payload operates at install time via a preinstall lifecycle hook:
json"preinstall": "bun run index.js"
A root-level index.js file, heavily obfuscated using a string-array lookup table and a custom decryptor exposed through globalThis, executes automatically upon package installation.
The payload exfiltrates stolen data to a hardcoded HTTPS endpoint: https://t[.]m-kosche[.]com:443/api/public/otel/v1/traces.
Collected data is gzip-compressed, AES-256-GCM encrypted, and the AES key is wrapped with RSA-OAEP/SHA-256 before transmission — a layered approach designed to prevent plaintext recovery from network telemetry.
The payload aggressively targets developer and CI/CD environments, harvesting:
GitHub tokens, npm tokens, and AWS credentials (AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_SESSION_TOKEN)
Kubernetes service account material (KUBECONFIG, KUBERNETES_SERVICE_HOST)
Vault tokens (VAULT_TOKEN, VAULT_AUTH_TOKEN)
SSH/private keys, Docker auth files, and database connection strings
The malware contains explicit logic for 18+ CI/CD platforms, including GitHub Actions, GitLab CI, CircleCI, Jenkins, Azure DevOps, AWS CodeBuild, Vercel, Netlify, and Cloudflare Pages.
If a usable GitHub token is obtained, the payload creates repositories under the victim’s account and commits stolen data into a results/results-<timestamp>-<counter>.json path.
Public GitHub searches currently reveal approximately 1,900 attacker-created repositories using the reversed campaign marker niagA oG eW ereH :duluH-iahS (decoding to “Shai-Hulud: Here We Go Again”) with Dune-themed repository names such as sayyadina-stillsuit-852 and atreides-ornithopter-112. The repository Zaynex/sayyadina-stillsuit-852 has been confirmed as an active exfiltration staging repo.
The worm also abuses stolen npm tokens to enumerate maintainable packages, inject the payload, bump version numbers, and republish, enabling self-propagation across the npm ecosystem under legitimate maintainer identities.
Endor Labs highlighted three novel behaviors in this wave:
Sigstore abuse: The worm now calls Fulcio and Rekor at runtime to obtain valid signing certificates and transparency log entries, causing provenance tooling to display a green badge despite the malicious build chain
Dormant account targeting: Packages like jest-canvas-mock, size-sensor, and timeago.js (dormant for 3–10 years) were used as entry points, as older accounts attract less scrutiny
Single-token namespace takeover: At least 37 @antv/* packages are confirmed malicious, consistent with a single stolen token holding publish rights across the entire namespace
Indicators of Compromise
Type Indicator
C2 Endpoint t[.]m-kosche[.]com:443/api/public/otel/v1/traces
GitHub Marker niagA oG eW ereH :duluH-iahS
Repo Pattern <dune-word>-<dune-word>-<digits>
Exfil Path results/results-*.json
Key Secret Targets GITHUB_TOKEN, AWS_ACCESS_KEY_ID, VAULT_TOKEN, KUBECONFIG
Mitigations
Audit all recently updated @antv/*, @lint-md, @openclaw-cn, and @starmind packages immediately
Rotate any GitHub tokens, npm tokens, AWS credentials, and Vault tokens exposed in CI/CD environments
Do not rely solely on Sigstore provenance badges as indicators of package integrity
Monitor npm install logs for unexpected preinstall scripts invoking bun
Block outbound connections to t[.]m-kosche[.]com at the network perimeter
Socket and Endor Labs have both published detailed advisories; here is the list of affected packages. Organizations running affected packages should treat any exposed credentials as fully compromised and initiate incident response procedures immediately.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
Tags
cyber security
cyber security news
Copy URL
Linkedin
Twitter
ReddIt
Telegram
Guru Baranhttps://cybersecuritynews.com
Gurubaran KS is a cybersecurity analyst, and Journalist with a strong focus on emerging threats and digital defense strategies. He is the Co-Founder and Editor-in-Chief of Cyber Security News, where he leads editorial coverage on global cybersecurity developments.
Trending News
JDownloader Website Compromised to Distribute Malicious Windows and Linux Installers
Top 10 Best Data Loss Prevention Software in 2026
Hackers Abuse Legitimate HWMonitor Binary to Load Malicious DLL Payload
Critical WordPress Plugin Vulnerability Exposes Websites to Authentication Bypass Attacks
Multiple cPanel Vulnerabilities Allows Access to Sensitive System Resources
Latest News
Botnet
Hackers Hijacking Four-Faith Industrial Routers for Botnet Activity
Cyber Security News
Compromised GitHub Action Exfiltrates Workflow Credentials to Attacker Domain
Cyber Security News
Critical Apache Flink Vulnerability Enables Remote code execution Attacks
Cyber Security News
Microsoft Edge Stops Loading Saved Passwords Into Memory at Startup
Cyber Security News
Attackers Use Cloudflare Storage Endpoint to Exfiltrate Files From Compromised Networks