Mini Shai-Hulud Compromises @antv npm Packages to Steal CI/CD

A new and sophisticated supply chain attack has been uncovered, targeting one of the most trusted corners of the open-source software world.

Dubbed “Mini Shai-Hulud,” this campaign went after the @antv npm package ecosystem, a collection of widely used data visualization libraries powering dashboards and applications for developers globally.

The attack was quiet, precise, and designed to cause maximum damage before anyone noticed.

What made this attack especially dangerous was how far it spread. The threat actor first compromised a maintainer account within the @antv organization, then published malicious versions of popular packages.

From there, the infection rippled downstream into dependent libraries like echarts-for-react, a package with over one million weekly downloads.

A single poisoned package spread silently into thousands of developer pipelines almost overnight.

Microsoft security researchers identified and reported on this campaign, revealing the full scope of what the malware was capable of.

According to Microsoft report shared with Cyber Security News (CSN), the malicious payload was a roughly 499 KB obfuscated JavaScript file that executed the moment a developer typed npm install.

It was built with one clear purpose: to steal credentials from GitHub Actions environments and connected cloud services.

The payload hunted for secrets across six platforms, including Amazon Web Services, HashiCorp Vault, Kubernetes, npm, and 1Password.

It scraped process memory directly from the GitHub Actions runner, bypassing standard secret masking entirely.

Every layer of the malware pointed to a calculated effort to drain credentials and disappear without raising alarms.

GitHub moved quickly once the threat was flagged. The platform removed 640 malicious packages and invalidated over 61,000 npm tokens with write permissions.

Dependabot alerts and npm audit warnings were pushed out to help developers catch the issue. The @antv account authors later confirmed the situation has since been resolved.

Mini Shai-Hulud Compromises @antv npm Packages

The attack followed a clean and deliberate chain. After gaining access to the maintainer account, the threat actor pushed malicious versions of core charting packages.

A preinstall hook inside the package triggered the payload automatically during npm install, so developers did not need to run extra commands for the infection to begin.

The JavaScript payload used two layers of obfuscation. The first involved 1,732 Base64-encoded strings shuffled in a rotated array.

The second used a custom cipher based on PBKDF2 and SHA-256, decoding critical strings only at runtime.

The malware also included environment gating that caused it to exit immediately if it was not running inside a GitHub Actions Linux environment, helping it dodge detection during normal testing.

Once active, it exfiltrated data through two channels. The primary route used an encrypted HTTPS connection to a command-and-control domain on port 443.

A fallback used GitHub’s Git Data API to create commits in victim repositories on non-protected branches.

Researchers had spotted more than 2,200 public repositories created under victim accounts as a campaign signature at the time of reporting.

Credential Theft Across Cloud and CI/CD Environments

The scope of credential theft was striking. For AWS, the payload queried the Instance Metadata Service and called SecretsManager across all regions. For HashiCorp Vault, it searched over twelve token paths.

For Kubernetes, it read service account tokens and enumerated namespace secrets. For 1Password, it even tried bypassing two-factor authentication to extract master passwords.

The malware also worked to maintain access. It installed the Bun runtime and used it to execute a second-stage payload.

It injected a passwordless sudo rule through a bind mount and modified DNS settings by editing the hosts file. It also forged software supply chain provenance attestations through Sigstore to make malicious packages appear legitimate.

Microsoft recommends developers review dependency trees for any use of affected @antv packages. Running npm install with the –ignore-scripts flag, pinning known-good versions, and rotating any exposed credentials are all critical steps.

Developers should also audit GitHub accounts for unexpected public repositories created during the exposure window, as these may signal an active compromise.

Indicators of Compromise (IoCs):-

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.