Shai-Hulud Malware Hits @antv Ecosystem, Poisoning Hundreds of npm Packages

The npm ecosystem has been subjected to a massive, highly coordinated supply-chain assault. Within a compressed one-hour envelope, threat actors successfully forced hundreds of malicious versions of popular libraries into the registry, actively targeting downstream developers and continuous integration build systems. This campaign, explicitly linked to the Shai-Hulud threat lineage, poses a severe risk because the corrupted distributions convincingly mimicked standard, benign software updates.

According to telemetry published by Socket, the adversaries distributed 639 malicious versions spanning 323 unique packages on May 19 between 04:56 and 05:56 MSK. The primary focus of the incursion targeted the @antv organization, an enterprise ecosystem responsible for widely deployed data visualization, graphing, flowcharting, and mapping libraries. Conspicuous among the compromised assets were @antv/g2, @antv/g6, @antv/x6, @antv/l7, echarts-for-react, timeago.js, size-sensor, and canvas-nest.js.

The genesis of the infection chain trace back to the credential compromise of the atool npm administrative account, a trusted identity utilized to publish portions of the @antv portfolio. The malicious payloads were programmatically injected directly into the core index.js files, engineered to systematically harvest active GitHub and npm session tokens, cloud infrastructure keys, Kubernetes configuration maps, HashiCorp Vault secrets, Docker credentials, SSH keys, local database connection strings, and sensitive environment variables from active CI/CD pipelines. This aggressive harvesting mechanism concurrently impacted local developer workstations and major cloud compilation platforms, including GitHub Actions, GitLab CI, Jenkins, Azure DevOps, CircleCI, Vercel, and Netlify.

To obscure its outbound egress footprint from standard network monitoring utilities, the exfiltrated data was encrypted and routed utilizing the decentralized Session P2P network protocol. Upon establishing access to an intercepted GitHub profile, the malware programmatically initialized clandestine repositories within the victim’s own account to serve as drop zones for the stolen telemetry. Aikido Security initially identified over 2,700 such illicit repositories, a metric that rapidly escalated past 2,900 just prior to public disclosure.

Technical analysis from Endor Labs highlighted an especially alarming architectural evolution: this contemporary iteration of Shai-Hulud possesses the capacity to synthesize cryptographically valid Sigstore attestations by actively hijacking OpenID Connect (OIDC) tokens native to compromised continuous integration environments. Consequently, the tainted npm packages successfully passed standard supply-chain provenance verifications, effectively masquerading as trusted, verified builds despite harboring high-severity credential-harvesting logic.

Furthermore, the malware exhibits robust self-propagating capabilities. The implant validates intercepted npm tokens to identify any upstream packages managed by the victim, programmatically retrieves the tarball archives, injects its own malicious subroutines, and publishes newly infected iterations with bumped version numbers to the registry. Both Socket and Aikido Security deduce that while this variant diverges from ancestral Mini Shai-Hulud specimens, it preserves the foundational adversarial blueprint. Additionally, this contemporary wave implements persistent local backdoors by manipulating localized user settings within Visual Studio Code and Anthropic Claude Code environments.

Software engineers and site reliability cells who ingested any of the impacted dependencies are urgently advised to purge the corrupted versions or immediately roll back environments to verified stable releases compiled prior to May 18. This containment phase must be followed by a comprehensive revocation and rotation of all potentially exposed cryptographic keys, identity tokens, and SSH credentials.