CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership May 21, 2026

Mini Shai-Hulud Compromises @antv npm Packages to Steal CI/CD Credentials

Cybersecurity News Archived May 21, 2026 ✓ Full text saved

A new and sophisticated supply chain attack has been uncovered, targeting one of the most trusted corners of the open-source software world. Dubbed “Mini Shai-Hulud,” this campaign went after the @antv npm package ecosystem, a collection of widely used data visualization libraries powering dashboards and applications for developers globally. The attack was quiet, precise, and […] The post Mini Shai-Hulud Compromises @antv npm Packages to Steal CI/CD Credentials appeared first on Cyber Security N

Full text archived locally
✦ AI Summary · Claude Sonnet


    HomeCyber Security News Mini Shai-Hulud Compromises @antv npm Packages to Steal CI/CD Credentials By Tushar Subhra Dutta May 21, 2026 A new and sophisticated supply chain attack has been uncovered, targeting one of the most trusted corners of the open-source software world. Dubbed “Mini Shai-Hulud,” this campaign went after the @antv npm package ecosystem, a collection of widely used data visualization libraries powering dashboards and applications for developers globally. The attack was quiet, precise, and designed to cause maximum damage before anyone noticed. What made this attack especially dangerous was how far it spread. The threat actor first compromised a maintainer account within the @antv organization, then published malicious versions of popular packages. From there, the infection rippled downstream into dependent libraries like echarts-for-react, a package with over one million weekly downloads. A single poisoned package spread silently into thousands of developer pipelines almost overnight. Microsoft security researchers identified and reported on this campaign, revealing the full scope of what the malware was capable of. @antv npm supply chain attack flow (Source – Microsoft) According to Microsoft report shared with Cyber Security News (CSN), the malicious payload was a roughly 499 KB obfuscated JavaScript file that executed the moment a developer typed npm install. It was built with one clear purpose: to steal credentials from GitHub Actions environments and connected cloud services. The payload hunted for secrets across six platforms, including Amazon Web Services, HashiCorp Vault, Kubernetes, npm, and 1Password. It scraped process memory directly from the GitHub Actions runner, bypassing standard secret masking entirely. Every layer of the malware pointed to a calculated effort to drain credentials and disappear without raising alarms. GitHub moved quickly once the threat was flagged. The platform removed 640 malicious packages and invalidated over 61,000 npm tokens with write permissions. Dependabot alerts and npm audit warnings were pushed out to help developers catch the issue. The @antv account authors later confirmed the situation has since been resolved. Mini Shai-Hulud Compromises @antv npm Packages The attack followed a clean and deliberate chain. After gaining access to the maintainer account, the threat actor pushed malicious versions of core charting packages. A preinstall hook inside the package triggered the payload automatically during npm install, so developers did not need to run extra commands for the infection to begin. The JavaScript payload used two layers of obfuscation. The first involved 1,732 Base64-encoded strings shuffled in a rotated array. The second used a custom cipher based on PBKDF2 and SHA-256, decoding critical strings only at runtime. The malware also included environment gating that caused it to exit immediately if it was not running inside a GitHub Actions Linux environment, helping it dodge detection during normal testing. Once active, it exfiltrated data through two channels. The primary route used an encrypted HTTPS connection to a command-and-control domain on port 443. A fallback used GitHub’s Git Data API to create commits in victim repositories on non-protected branches. Researchers had spotted more than 2,200 public repositories created under victim accounts as a campaign signature at the time of reporting. Credential Theft Across Cloud and CI/CD Environments The scope of credential theft was striking. For AWS, the payload queried the Instance Metadata Service and called SecretsManager across all regions. For HashiCorp Vault, it searched over twelve token paths. For Kubernetes, it read service account tokens and enumerated namespace secrets. For 1Password, it even tried bypassing two-factor authentication to extract master passwords. The malware also worked to maintain access. It installed the Bun runtime and used it to execute a second-stage payload. It injected a passwordless sudo rule through a bind mount and modified DNS settings by editing the hosts file. It also forged software supply chain provenance attestations through Sigstore to make malicious packages appear legitimate. Microsoft recommends developers review dependency trees for any use of affected @antv packages. Running npm install with the –ignore-scripts flag, pinning known-good versions, and rotating any exposed credentials are all critical steps. Developers should also audit GitHub accounts for unexpected public repositories created during the exposure window, as these may signal an active compromise. Indicators of Compromise (IoCs):- Type Indicator Description Package Scope @antv (whole account) All packages maintained by the antv account were compromised; situation now resolved per account authors  Package Name echarts-for-react Major downstream package impacted by the @antv compromise; situation now resolved per repository authors  SHA-256 a68dd1e6a6e35ec3771e1f94fe796f55dfe65a2b94560516ff4ac189390dfa1c Malicious payload JavaScript file  SHA-256 fb5c97557230a27460fdab01fafcfabeaa49590bafd5b6ef30501aa9e0a51142 Malicious backdoor Python script  Domain t.m-kosche[.]com:443 Infrastructure associated with the Mini Shai-Hulud campaign  File Name Index.js Malicious script or dropped file  File Name cat.py Malicious script or dropped file  Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM. Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google. Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Tushar Subhra Dutta Tushar is a senior cybersecurity and breach reporter. He specializes in covering cybersecurity news, trends, and emerging threats, data breaches, and malware attacks. With years of experience, he brings clarity and depth to complex security topics. Trending News Microsoft Python Client DurableTask Compromised by TeamPCP Hackers Microsoft Edge, Windows 11 and LiteLLM Hacked in Pwn2Own Berlin 2026 Four Malicious npm Packages Steal SSH Keys, Cloud Credentials, and Crypto Wallets Critical n8n Vulnerabilities Expose Automation Nodes to Full RCE Critical Linux Kernel Flaw ‘ssh-keysign-pwn’ Exposes SSH Keys and Shadow Passwords Latest News Cyber Security Authorities Have Taken Down “First VPN” Used in Ransomware Attacks Cyber Security Flipper Unveils New Flipper One Modular Linux Cyberdeck Cyber Security News P2PInfect Botnet Compromises Kubernetes Clusters Through Exposed Redis Instances Cyber Security GitHub Internal Repositories Breached Via Weaponized VS Code Extension Cyber Security News Nine-year-old Linux Kernel Vulnerability Let Attackers Exfiltrate SSH Private Keys
    💬 Team Notes
    Article Info
    Source
    Cybersecurity News
    Category
    ◇ Industry News & Leadership
    Published
    May 21, 2026
    Archived
    May 21, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗