10 min read
By: RedLegg's Cyber Threat Intelligence Team
About:
Mini Shai-Hulud is an active npm supply chain attack that compromised over 300 packages within the AntV ecosystem by hijacking a maintainer account and publishing hundreds of malicious package versions. The campaign leveraged obfuscated preinstall scripts to steal sensitive credentials from developer machines, CI/CD pipelines, and cloud environments, with the added ability to propagate further compromises using stolen access. Immediate removal of affected packages, credential rotation, and environment audits are critical to mitigate risk.
RedLegg will occasionally communicate vulnerabilities released outside the usual release schedule to provide additional value to our customers. These emergency bulletins describe vulnerabilities or threats we classify as the highest severity level and warrant out-of-band emergency patching or mitigation action.
VULNERABILITIES
Mini Shai-Hulud npm Supply Chain Attack Targeting AntV Ecosystem
PoC or Exploitation:
Active malicious package publication and supply chain compromise is confirmed. The campaign has been linked to repeated Mini Shai-Hulud activity previously observed against TanStack packages, SAP-related packages, Mistral AI integrations, and other ecosystems.
Update / Patch:
Security researchers identified 637 malicious versions across 323 npm packages after compromise of the npm maintainer account "atool".
The malicious publication activity occurred in two automated waves on May 19, 2026 between 01:39 UTC and 02:06 UTC, with exposure risk extending until approximately 02:18 UTC.
Impacted package families include:
- @antv/g2
- @antv/x6
- @antv/l7
- @antv/s2
- @antv/f2
- @antv/g
- @antv/g2plot
- @antv/graphin
- @antv/data-set
- @antv/scale
- echarts-for-react
- timeago.js
- size-sensor
- canvas-nest.js
- Additional AntV ecosystem packages
Description:
Mini Shai-Hulud is an active npm supply chain malware campaign that expanded into Alibaba's AntV visualization ecosystem and associated JavaScript libraries. The attack abuses compromised maintainer accounts to rapidly publish trojanized package versions that execute malicious code during dependency installation.
The malicious packages modified installation behavior by introducing preinstall execution hooks including:
"preinstall": "bun run index.js"
Payloads were heavily obfuscated and designed to evade static inspection using runtime decoding, lookup tables, and custom decryption routines. Once executed, the malware attempted large-scale credential harvesting from developer workstations and CI/CD environments.
Observed targets include:
- GitHub Actions OIDC credentials
- AWS credentials and metadata services
- Kubernetes service accounts
- HashiCorp Vault tokens
- SSH private keys
- Docker authentication files
- Database connection strings
- Environment variables and local secret stores
- CI/CD pipelines and release workflows
Researchers additionally observed self-propagation capability where stolen credentials could be reused to compromise additional repositories and publish further malicious package versions.
The campaign also demonstrated GitHub abuse behavior where stolen credentials were leveraged to create rogue repositories and exfiltrate harvested data. Public reporting identified more than 2,700 Dune-themed repositories associated with broader Mini Shai-Hulud activity.
Mitigation Recommendation:
Immediately identify and remove compromised AntV and associated npm package versions from development environments.
Rotate all credentials that may have been accessible to affected build systems including:
- GitHub PATs and Actions tokens
- npm publishing tokens
- Cloud API credentials
- Kubernetes secrets
- SSH keys
- Vault tokens
- CI/CD variables
Perform retrospective hunting for: - Unexpected GitHub repositories or commits
- Unauthorized workflow files
- New package publication events
- Abnormal npm install activity
- Bun runtime execution
- Suspicious preinstall lifecycle hooks
- Outbound connections from build runners
Recommended response actions:
- Identify whether affected package versions were downloaded or installed during the compromise publication window
- Remove malicious versions immediately
- Rebuild CI/CD runners that executed affected dependencies
- Rotate all exposed secrets including GitHub tokens, npm tokens, cloud credentials, SSH keys, Kubernetes secrets, Vault tokens, Docker authentication files, and database credentials
- Audit GitHub repositories for unauthorized commits, workflows, repository creation, or secret exposure
- Review npm install lifecycle hooks and disable automatic execution where operationally feasible
- Enforce MFA and trusted publishing controls for package maintainers
- Validate software bill of materials (SBOM) and dependency inventories against known affected artifacts
References:
https://snyk.io/blog/mini-shai-hulud-antv-npm-supply-chain-attack/
https://www.aikido.dev/blog/mini-shai-hulud-antv-npm-supply-chain-attack/
