A large-scale npm supply chain attack has affected hundreds of packages in the @antv ecosystem — a popular data visualization library — as well as a number of widely used JavaScript packages, including echarts-for-react with approximately 1.1 million weekly downloads. According to researchers from Socket, the attack is linked to the ongoing Mini Shai-Hulud campaign, in which a compromised maintainer account is used to mass-publish trojanized package versions. The malicious payload steals more than 20 types of credentials — from AWS and Azure keys to GitHub and npm tokens — and is capable of self-propagation through stolen tokens. Organizations using affected packages must immediately audit their dependencies and revoke potentially compromised secrets.

Scope of compromise and affected packages

The attack impacted packages associated with the npm maintainer account atool. According to Socket, the attacker published 639 malicious versions across 323 unique packages, of which 558 versions belong to 279 packages in the @antv namespace. An independent analysis by SafeDep provides slightly different numbers — 631 malicious versions in 314 packages — which indicates some uncertainty about the campaign’s exact reach.

Among the confirmed affected packages:

• @antv namespace: @antv/g2, @antv/g6, @antv/x6, @antv/l7, @antv/s2, @antv/f2, @antv/g, @antv/g2plot, @antv/graphin, @antv/data-set
• Outside @antv: echarts-for-react, timeago.js, size-sensor, canvas-nest.js

As Socket notes, the potential blast radius is significant, because the compromised account is associated with widely used packages in the ecosystems of data visualization, charting, mapping, and React components. Organizations that automatically pull in new dependency versions are at particular risk.

Technical anatomy of the attack

Infection mechanism

According to SafeDep, the attack uses two execution paths. Each compromised version adds a preinstall hook that invokes bun run index.js. In addition, 630 of the 631 malicious versions inject an optionalDependencies entry that points to so-called imposter commits — fake commits in the legitimate antvis/G2 repository on GitHub that deliver a second copy of the malicious payload.

The speed of the operation is notable: SafeDep recorded a 22-minute burst of publications covering 314 packages and 631 versions with an identical obfuscated payload. This clearly indicates a fully automated operation using a stolen token, rather than a gradual or targeted attack.

Stealer capabilities

According to the researchers, the malicious payload steals more than 20 types of credentials:

• Cloud provider keys: Amazon Web Services, Google Cloud, Microsoft Azure
• Developer tokens: GitHub, npm
• Infrastructure secrets: SSH keys, Kubernetes, Vault
• Payment data: Stripe
• Database connection strings
• Attempted breakout from a Docker container via the host socket

The collected data is serialized, compressed, encrypted, and sent to the domain t.m-kosche[.]com over port 443. As a fallback exfiltration mechanism, the malware uses a stolen GitHub token to create a public repository under the victim’s account and commit the data into a JSON file.

Self-propagation

A key feature of Mini Shai-Hulud is built-in propagation logic via npm. The malware validates stolen npm tokens through the registry API, enumerates packages owned by the token’s owner, downloads the package archives, injects the malicious payload, adds a preinstall hook, increments the version number, and republishes the packages on behalf of the compromised maintainer. As a result, each compromise begets the next one, creating a cascading effect.

Indicator of compromise on GitHub

Repositories created by the malware contain a distinctive description string: “niagA oG eW ereH :duluH-iahS” (when read backward — “Shai-Hulud: Here We Go Again”). At the time the research was published, a GitHub search revealed more than 2,200 repositories with this marker — an indirect indicator of the scale of account compromise.

Attribution and threat escalation

The Mini Shai-Hulud campaign is believed by researchers to be linked to the financially motivated group TeamPCP. However, the situation has escalated significantly: as reported by SlowMist, TeamPCP published the full source code of the framework as part of a supply chain attack contest announced jointly with BreachForums.

As Datadog notes, publishing the source code of an active offensive framework is a rare event. It lowers the barrier to entry for other attackers by providing them with ready-made techniques, including abuse of OIDC tokens, falsification of package provenance data, and hooks for persistence in AI-based tools.

The consequences are already visible: according to Mondoo, an unknown attacker uploaded four malicious npm packages, one of which contains an almost verbatim copy of the Shai-Hulud worm with its own command-and-control infrastructure. The emergence of clones complicates attribution and expands the attack surface.

As Trend Micro emphasizes, organizations using GitHub Actions, PyPI, Docker Hub, GitHub Container Registry, VS Code extensions, and cloud CI runners are directly exposed to the risks of this campaign.

Impact assessment

Development teams that use @antv packages and related data visualization libraries in enterprise projects are at the greatest risk. Given that echarts-for-react is downloaded more than a million times per week, the potential number of affected organizations is in the thousands. The worm’s self-propagating nature means that the compromise of a single maintainer can cascade to all packages associated with their tokens. The leakage of cloud keys, SSH secrets, and CI/CD tokens opens the door to full infrastructure compromise.

Practical recommendations

1. Dependency audit: check whether your projects use the affected packages. Lock dependency versions and roll back to known-clean versions published before the campaign began.
2. Secret revocation: if the affected packages were installed in your environment, immediately rotate all npm and GitHub tokens, cloud keys for AWS/GCP/Azure, SSH keys, and database connection strings.
3. GitHub review: search within your organization for repositories with the description “niagA oG eW ereH :duluH-iahS” — their presence indicates compromise.
4. IOC blocking: add the domain t.m-kosche[.]com to network monitoring blocklists.
5. Disable automatic updates: review your policy of automatically pulling new dependency versions. Use lock files and strict version pinning.
6. Monitor preinstall hooks: check for suspicious preinstall hooks in dependencies, especially invocations of bun run index.js.

The Mini Shai-Hulud campaign highlights a systemic vulnerability in the npm ecosystem: a single compromised maintainer token triggers a cascade of infections, and publication of the worm’s source code turns an isolated threat into a mass one. The top priorities now are auditing all dependencies from the @antv namespace and related packages, rotating all secrets that may have been accessible in compromised environments, and moving to strict version pinning with manual review of updates for critical dependencies.