CyberSecurity News

Mini Shai-Hulud Supply Chain Attack Compromises Packages Compromised

A sophisticated npm supply chain campaign, dubbed Mini Shai-Hulud, has compromised over 600 package versions overnight. In this latest wave, security researchers at Socket and Endor Labs identified...

Marcus Rodriguez
Marcus Rodriguez
May 19, 2026 3 Min Read
1 0

A sophisticated npm supply chain campaign, dubbed Mini Shai-Hulud, has compromised over 600 package versions overnight. In this latest wave, security researchers at Socket and Endor Labs identified 639 compromised package versions across 323 unique packages.

Table Of Content

The bulk of the activity targeted the @antv ecosystem, alongside packages under @lint-md, @openclaw-cn, and @starmind scopes.

Malicious publish activity began at approximately 01:56 UTC on May 19, 2026, continuing until 02:56 UTC.

Socket’s detection systems flagged most activity within 6 to 12 minutes of publication, with a median detection time of 6.7 minutes.

Endor Labs independently observed 42 malicious packages between 01:39 and 02:06 UTC, tracing the campaign’s origin to two long-dormant packages: jest-canvas-mock and size-sensor, neither of which had been published in over three years.

Across the full Mini Shai-Hulud campaign tracked to date, researchers have confirmed 1,055 compromised versions across 502 unique packages, spanning npm (1,048 versions), PyPI (6 versions), and Composer (1 version).

600+ npm Packages Compromised

The injected payload operates at install time via a preinstall lifecycle hook:

json"preinstall": "bun run index.js"

A root-level index.js file, heavily obfuscated using a string-array lookup table and a custom decryptor exposed through globalThis, executes automatically upon package installation.

The payload exfiltrates stolen data to a hardcoded HTTPS endpoint: https://t[.]m-kosche[.]com:443/api/public/otel/v1/traces.

Collected data is gzip-compressed, AES-256-GCM encrypted, and the AES key is wrapped with RSA-OAEP/SHA-256 before transmission — a layered approach designed to prevent plaintext recovery from network telemetry.

The payload aggressively targets developer and CI/CD environments, harvesting:

  • GitHub tokens, npm tokens, and AWS credentials (AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_SESSION_TOKEN)
  • Kubernetes service account material (KUBECONFIG, KUBERNETES_SERVICE_HOST)
  • Vault tokens (VAULT_TOKEN, VAULT_AUTH_TOKEN)
  • SSH/private keys, Docker auth files, and database connection strings

The malware contains explicit logic for 18+ CI/CD platforms, including GitHub Actions, GitLab CI, CircleCI, Jenkins, Azure DevOps, AWS CodeBuild, Vercel, Netlify, and Cloudflare Pages.

If a usable GitHub token is obtained, the payload creates repositories under the victim’s account and commits stolen data into a results/results-<timestamp>-<counter>.json path.

Public GitHub searches currently reveal approximately 1,900 attacker-created repositories using the reversed campaign marker niagA oG eW ereH :duluH-iahS (decoding to “Shai-Hulud: Here We Go Again”) with Dune-themed repository names such as sayyadina-stillsuit-852 and atreides-ornithopter-112. The repository Zaynex/sayyadina-stillsuit-852 has been confirmed as an active exfiltration staging repo.

The worm also abuses stolen npm tokens to enumerate maintainable packages, inject the payload, bump version numbers, and republish, enabling self-propagation across the npm ecosystem under legitimate maintainer identities.

Endor Labs highlighted three novel behaviors in this wave:

  • Sigstore abuse: The worm now calls Fulcio and Rekor at runtime to obtain valid signing certificates and transparency log entries, causing provenance tooling to display a green badge despite the malicious build chain
  • Dormant account targeting: Packages like jest-canvas-mock, size-sensor, and timeago.js (dormant for 3–10 years) were used as entry points, as older accounts attract less scrutiny
  • Single-token namespace takeover: At least 37 @antv/* packages are confirmed malicious, consistent with a single stolen token holding publish rights across the entire namespace

Indicators of Compromise

Type Indicator
C2 Endpoint t[.]m-kosche[.]com:443/api/public/otel/v1/traces
GitHub Marker niagA oG eW ereH :duluH-iahS
Repo Pattern <dune-word>-<dune-word>-<digits>
Exfil Path results/results-*.json
Key Secret Targets GITHUB_TOKEN, AWS_ACCESS_KEY_ID, VAULT_TOKEN, KUBECONFIG

Mitigations

  • Audit all recently updated @antv/*, @lint-md, @openclaw-cn, and @starmind packages immediately
  • Rotate any GitHub tokens, npm tokens, AWS credentials, and Vault tokens exposed in CI/CD environments
  • Do not rely solely on Sigstore provenance badges as indicators of package integrity
  • Monitor npm install logs for unexpected preinstall scripts invoking bun
  • Block outbound connections to t[.]m-kosche[.]com at the network perimeter

Socket and Endor Labs have both published detailed advisories; here is the list of affected packages. Organizations running affected packages should treat any exposed credentials as fully compromised and initiate incident response procedures immediately.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackMalwareSecurity

Share Article

Marcus Rodriguez

Marcus Rodriguez

Marcus is a security researcher and investigative journalist with expertise in vulnerability research, bug bounties, and cloud security. Since 2017, Marcus has been breaking stories on critical vulnerabilities affecting major platforms. His investigative work has led to the disclosure of numerous security flaws and improved defenses across the industry. Marcus is an active participant in bug bounty programs and has been recognized for responsible disclosure practices. He holds multiple security certifications and regularly speaks at industry events.

No Comment! Be the first one.

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Posts