Full Report
Cybersecurity researchers have discovered a fresh software supply chain attack campaign that has compromised various npm packages associated with the @antv ecosystem as part of the ongoing Mini Shai-Hulud attack wave. "The attack affects packages tied to the npm maintainer account atool, including echarts-for-react, a widely used React wrapper for Apache ECharts with roughly 1.1 million weekly
Analysis Summary
# Incident Report: Mini Shai-Hulud Supply Chain Attack (AntV/atool Compromise)
## Executive Summary
A large-scale software supply chain attack dubbed "Mini Shai-Hulud" targeted the npm ecosystem, specifically compromising the `atool` maintainer account to infect packages within the @antv visualization ecosystem. The attack resulted in the publication of 631 malicious versions across 314 packages, including the popular `echarts-for-react` library. The primary goal was the automated exfiltration of over 20 types of sensitive credentials and cloud service tokens.
## Incident Details
- **Discovery Date:** May 19, 2026 (Reported)
- **Incident Date:** May 2026 (Ongoing wave)
- **Affected Organization:** AntV (Alibaba ecosystem), various open-source maintainers
- **Sector:** Technology / Software Development
- **Geography:** Global (Impacts any developer/CI/CD pipeline pulling affected packages)
## Timeline of Events
### Initial Access
- **Date/Time:** May 2026
- **Vector:** Credential/Token Theft
- **Details:** Attackers gained access to the npm maintainer account `atool`. This is believed to have been achieved via a stolen personal access token (PAT) or OIDC token abuse.
### Lateral Movement
- **Details:** The attacker used the compromised credentials to programmatically access and modify 314 different packages associated with the maintainer, rapidly injecting malicious code.
### Data Exfiltration/Impact
- **Details:** The malicious code targeted over 20 credential types, including AWS, Google Cloud, Azure, GitHub, npm, SSH, Kubernetes, Vault, and Stripe. It also attempted Docker container escapes via the host socket to deepen the breach into the host infrastructure.
### Detection & Response
- **Detection:** Identified by security researchers (Socket, SafeDep, Datadog) observing a "22-minute publish burst" of obfuscated payloads.
- **Response:** Security firms flagged the malicious versions; subsequent takedowns of malicious versions by npm registry administrators.
## Attack Methodology
- **Initial Access:** Compromised npm maintainer account (`atool`) likely via stolen session tokens.
- **Persistence:** Injection of `preinstall` hooks (`bun run index.js`) in `package.json` to ensure execution upon installation.
- **Defense Evasion:** Use of obfuscated payloads and "imposter commits" on GitHub to host secondary payloads in legitimate repositories (e.g., `antvis/G2`).
- **Credential Access:** Automated harvesting of environment variables and configuration files for cloud, DB, and CI/CD secrets.
- **Discovery:** Automated scanning for `.ssh`, `.aws`, and Kubernetes configuration directories.
- **Lateral Movement:** Automated publication of new malicious versions to downstream dependencies.
- **Exfiltration:** Rapid, automated exfiltration to attacker-controlled C2 infrastructure.
- **Impact:** Compromise of developer machines and CI/CD pipelines; potential for wide-scale downstream infection.
## Impact Assessment
- **Financial:** High potential cost due to compromised cloud service tokens (AWS/Azure) and Stripe keys.
- **Data Breach:** Massive volume of developer and infrastructure secrets across 1.1M+ weekly downloads.
- **Operational:** Significant disruption for teams needing to audit, rotate credentials, and roll back dependencies.
- **Reputational:** High impact on the @antv ecosystem and general trust in npm visualization libraries.
## Indicators of Compromise
- **File Indicators:** `index.js` (malicious payload), modified `package.json` with `preinstall` scripts.
- **Behavioral Indicators:** Unexpected `bun run` commands during `npm install`; outbound traffic to unknown C2 IPs from CI/CD runners.
- **Malicious Packages/Versions:** Affected @antv/g2, @antv/g6, echarts-for-react, timeago.js, size-sensor, canvas-nest.js.
## Response Actions
- **Containment:** Removal of malicious versions from the npm registry.
- **Eradication:** Revocation of compromised maintainer tokens.
- **Recovery:** Release of clean versions and advisory for users to audit dependency trees for "imposter commits."
## Lessons Learned
- **Token Security:** Maintainer accounts remain a single point of failure; MFA and short-lived tokens are critical.
- **Source Code Leakage:** The open-sourcing of the "Shai-Hulud" framework by TeamPCP has significantly lowered the barrier for copycat attackers.
- **Downstream Risk:** Automated dependency updates can facilitate the rapid spread of malware before manual review is possible.
## Recommendations
- **Rotate Credentials:** All organizations using affected packages must rotate AWS, SSH, and GitHub secrets immediately.
- **Pin Dependencies:** Use lockfiles (`package-lock.json`) and consider pinning to specific hashes rather than version ranges.
- **Audit Hooks:** Monitor and restrict the execution of `preinstall` and `postinstall` scripts in CI/CD environments.
- **Implement Secrets Scanning:** Use tools to detect if environment variables or secrets are being accessed by unintended processes.