Mini Shai-Hulud Compromises @antv npm Packages to Steal CI/CD Credentials
Cybersecurity NewsArchived May 21, 2026✓ Full text saved
A new and sophisticated supply chain attack has been uncovered, targeting one of the most trusted corners of the open-source software world. Dubbed “Mini Shai-Hulud,” this campaign went after the @antv npm package ecosystem, a collection of widely used data visualization libraries powering dashboards and applications for developers globally. The attack was quiet, precise, and […] The post Mini Shai-Hulud Compromises @antv npm Packages to Steal CI/CD Credentials appeared first on Cyber Security N
Full text archived locally
✦ AI Summary· Claude Sonnet
HomeCyber Security News
Mini Shai-Hulud Compromises @antv npm Packages to Steal CI/CD Credentials
By Tushar Subhra Dutta
May 21, 2026
A new and sophisticated supply chain attack has been uncovered, targeting one of the most trusted corners of the open-source software world.
Dubbed “Mini Shai-Hulud,” this campaign went after the @antv npm package ecosystem, a collection of widely used data visualization libraries powering dashboards and applications for developers globally.
The attack was quiet, precise, and designed to cause maximum damage before anyone noticed.
What made this attack especially dangerous was how far it spread. The threat actor first compromised a maintainer account within the @antv organization, then published malicious versions of popular packages.
From there, the infection rippled downstream into dependent libraries like echarts-for-react, a package with over one million weekly downloads.
A single poisoned package spread silently into thousands of developer pipelines almost overnight.
Microsoft security researchers identified and reported on this campaign, revealing the full scope of what the malware was capable of.
@antv npm supply chain attack flow (Source – Microsoft)
According to Microsoft report shared with Cyber Security News (CSN), the malicious payload was a roughly 499 KB obfuscated JavaScript file that executed the moment a developer typed npm install.
It was built with one clear purpose: to steal credentials from GitHub Actions environments and connected cloud services.
The payload hunted for secrets across six platforms, including Amazon Web Services, HashiCorp Vault, Kubernetes, npm, and 1Password.
It scraped process memory directly from the GitHub Actions runner, bypassing standard secret masking entirely.
Every layer of the malware pointed to a calculated effort to drain credentials and disappear without raising alarms.
GitHub moved quickly once the threat was flagged. The platform removed 640 malicious packages and invalidated over 61,000 npm tokens with write permissions.
Dependabot alerts and npm audit warnings were pushed out to help developers catch the issue. The @antv account authors later confirmed the situation has since been resolved.
Mini Shai-Hulud Compromises @antv npm Packages
The attack followed a clean and deliberate chain. After gaining access to the maintainer account, the threat actor pushed malicious versions of core charting packages.
A preinstall hook inside the package triggered the payload automatically during npm install, so developers did not need to run extra commands for the infection to begin.
The JavaScript payload used two layers of obfuscation. The first involved 1,732 Base64-encoded strings shuffled in a rotated array.
The second used a custom cipher based on PBKDF2 and SHA-256, decoding critical strings only at runtime.
The malware also included environment gating that caused it to exit immediately if it was not running inside a GitHub Actions Linux environment, helping it dodge detection during normal testing.
Once active, it exfiltrated data through two channels. The primary route used an encrypted HTTPS connection to a command-and-control domain on port 443.
A fallback used GitHub’s Git Data API to create commits in victim repositories on non-protected branches.
Researchers had spotted more than 2,200 public repositories created under victim accounts as a campaign signature at the time of reporting.
Credential Theft Across Cloud and CI/CD Environments
The scope of credential theft was striking. For AWS, the payload queried the Instance Metadata Service and called SecretsManager across all regions. For HashiCorp Vault, it searched over twelve token paths.
For Kubernetes, it read service account tokens and enumerated namespace secrets. For 1Password, it even tried bypassing two-factor authentication to extract master passwords.
The malware also worked to maintain access. It installed the Bun runtime and used it to execute a second-stage payload.
It injected a passwordless sudo rule through a bind mount and modified DNS settings by editing the hosts file. It also forged software supply chain provenance attestations through Sigstore to make malicious packages appear legitimate.
Microsoft recommends developers review dependency trees for any use of affected @antv packages. Running npm install with the –ignore-scripts flag, pinning known-good versions, and rotating any exposed credentials are all critical steps.
Developers should also audit GitHub accounts for unexpected public repositories created during the exposure window, as these may signal an active compromise.
Indicators of Compromise (IoCs):-
Type Indicator Description
Package Scope @antv (whole account) All packages maintained by the antv account were compromised; situation now resolved per account authors
Package Name echarts-for-react Major downstream package impacted by the @antv compromise; situation now resolved per repository authors
SHA-256 a68dd1e6a6e35ec3771e1f94fe796f55dfe65a2b94560516ff4ac189390dfa1c Malicious payload JavaScript file
SHA-256 fb5c97557230a27460fdab01fafcfabeaa49590bafd5b6ef30501aa9e0a51142 Malicious backdoor Python script
Domain t.m-kosche[.]com:443 Infrastructure associated with the Mini Shai-Hulud campaign
File Name Index.js Malicious script or dropped file
File Name cat.py Malicious script or dropped file
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
Tags
cyber security
cyber security news
Copy URL
Linkedin
Twitter
ReddIt
Telegram
Tushar Subhra Dutta
Tushar is a senior cybersecurity and breach reporter. He specializes in covering cybersecurity news, trends, and emerging threats, data breaches, and malware attacks. With years of experience, he brings clarity and depth to complex security topics.
Trending News
Microsoft Python Client DurableTask Compromised by TeamPCP Hackers
Microsoft Edge, Windows 11 and LiteLLM Hacked in Pwn2Own Berlin 2026
Four Malicious npm Packages Steal SSH Keys, Cloud Credentials, and Crypto Wallets
Critical n8n Vulnerabilities Expose Automation Nodes to Full RCE
Critical Linux Kernel Flaw ‘ssh-keysign-pwn’ Exposes SSH Keys and Shadow Passwords
Latest News
Cyber Security
Authorities Have Taken Down “First VPN” Used in Ransomware Attacks
Cyber Security
Flipper Unveils New Flipper One Modular Linux Cyberdeck
Cyber Security News
P2PInfect Botnet Compromises Kubernetes Clusters Through Exposed Redis Instances
Cyber Security
GitHub Internal Repositories Breached Via Weaponized VS Code Extension
Cyber Security News
Nine-year-old Linux Kernel Vulnerability Let Attackers Exfiltrate SSH Private Keys