Hackers Compromise @antv npm Packages via Mini Shai-Hulud

A sweeping supply chain attack has compromised hundreds of widely used JavaScript packages within the npm ecosystem, specifically those tied to the @antv data visualization library.

The attack, which unfolded in the early hours of May 19, 2026, injected malicious code into packages used by millions of developers worldwide.

Among the affected packages is echarts-for-react, a popular React wrapper with roughly 1.1 million weekly downloads.

The attackers gained access to the npm maintainer account known as “atool” and used it to push poisoned versions of dozens of well-known packages.

Beyond the core @antv packages, the attack also reached unrelated packages such as timeago.js, size-sensor, and canvas-nest.js.

The sheer number of affected packages made this one of the largest npm supply chain incidents in recent memory.

Researchers at Socket.dev identified the attack in near real-time, flagging the malicious publish wave and classifying affected versions as known malware.

Socket.dev said in a report shared with Cyber Security News (CSN) that its internal review identified 639 compromised package versions across 323 unique packages in what the team labeled the “5/19 Mini Shai-Hulud wave”. Most detections happened within 6 to 12 minutes of publication.

Across the broader Mini Shai-Hulud campaign, Socket has tracked 1,055 versions across 502 unique packages spanning npm, PyPI, and Composer registries.

The npm ecosystem bears the overwhelming share, with 1,048 compromised versions across 498 unique npm packages. The campaign’s scale points to a coordinated and well-resourced threat actor operating across multiple open source ecosystems.

The blast radius here is significant. The publishing account is tied to packages used across data visualization, graphing, mapping, and React component development.

Even if only a fraction of those packages received a malicious update, organizations that automatically pull new dependency versions face real downstream exposure.

Hackers Compromise @antv Packages

The injected code follows a pattern tied to the Mini Shai-Hulud malware family. Each compromised package contains a root-level index.js file that modifies package.json to execute the payload at install time through a “preinstall” hook running on Bun.

The payload is heavily obfuscated using a large string-array lookup table and a custom decryptor to hide sensitive strings from basic inspection.

Once triggered, the malware collects and transmits stolen data over an encrypted channel. It serializes harvested information, compresses it with gzip, encrypts it with AES-256-GCM, and wraps the key with RSA-OAEP before sending everything to the command-and-control server.

This layered encryption makes it very difficult for defenders to recover stolen content from network traffic logs.

The payload hunts for high-value secrets across developer and CI/CD environments. It targets GitHub tokens, AWS credentials, Kubernetes service-account material, SSH private keys, Vault tokens, Docker authentication files, and database connection strings.

It also contains platform-specific logic for GitHub Actions, GitLab CI, Jenkins, CircleCI, AWS CodeBuild, and several others.

GitHub as a Fallback Exfiltration Channel

If the malware obtains a usable GitHub token, it shifts to a secondary method. It creates a new repository under the victim’s account and commits stolen data into files following a structured naming path.

This technique abuses GitHub as trusted infrastructure, making exfiltration far harder to detect and block. Public GitHub searches for a reversed campaign marker currently reveal roughly 1,900 repositories created by the threat actor.

These use Dune-inspired names such as “sayyadina-stillsuit-852” and “fremen-fedaykin-225,” and their descriptions carry the same reversed marker, confirming they belong to the campaign’s exfiltration network.

Beyond stealing secrets, the payload can also spread itself. It validates stolen npm credentials, enumerates packages the compromised account can publish, injects malicious code, and republishes the modified packages.

This worm-like behavior lets the attack jump between maintainer accounts without further effort from the attacker.

Developers and security teams should audit any recent updates from affected @antv and associated npm namespaces right away.

Organizations should rotate any secrets or credentials that may have passed through environments where these packages were recently installed. Reviewing CI/CD pipeline logs for unexpected GitHub repository creation activity is also strongly advised.

Indicators of Compromise (IoCs):-

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.