Mini Shai-Hulud: Supply Chain Campaign Targets @antv Ecosystem
A sophisticated, large-scale supply chain attack has recently been detected targeting the npm registry, specifically compromising a wide array of packages within the @antv ecosystem. This high-velocity campaign is being attributed to the Mini Shai-Hulud malware family, a threat actor known for coordinated, multi-package exploitation via compromised maintainer accounts.
The breach appears to have originated from the compromise of the npm maintainer account “atool,” which holds administrative privileges over several foundational JavaScript libraries. A notable victim in this wave is echarts-for-react, a critical React wrapper for Apache ECharts that serves a massive footprint of approximately 1.1 million weekly downloads.
Security researchers at Socket were the first to identify the anomaly, rapidly classifying the newly published versions as malicious. The scale of the onslaught is staggering: on May 19 alone, Socket identified 639 malicious package versions distributed across 323 unique packages within a single sixty-minute window.
The scope of the compromise extends deep into the data visualization and frontend stack, affecting core @antv libraries such as @antv/g2, @antv/g6, @antv/x6, @antv/l7, and @antv/g2plot, alongside utility packages like timeago.js, size-sensor, and canvas-nest.js. For organizations relying on automated dependency updates, the risk of downstream infection is extremely high.
Technical Analysis of the Mini Shai-Hulud Payload
The Mini Shai-Hulud campaign follows a highly structured execution pattern designed to bypass traditional static analysis. The primary mechanism of infection involves the injection of a root-level index.js file, paired with a modification to the package.json configuration. This modification triggers the malicious code via a preinstall script, ensuring the payload executes the moment a developer or CI/CD pipeline runs npm install.
To evade detection, the payload utilizes heavy obfuscation techniques, including runtime decoding and custom decryption routines. This prevents security scanners from identifying the intent of the code until it is active in memory.
Once the execution environment is established, the malware initiates a reconnaissance phase targeting high-value secrets within developer workstations and CI/CD pipelines. The primary objectives include:
- Cloud & Infrastructure: AWS keys, Kubernetes secrets, and database connection strings.
- Source Control & Registry: GitHub personal access tokens (PATs), npm authentication tokens, and SSH private keys.
- CI/CD Orchestration: Secrets and environment variables from GitHub Actions, GitLab CI, Jenkins, and Azure DevOps.
Exfiltration is handled with significant sophistication. Stolen data is encrypted using AES-256-GCM and sent to a hardcoded Command and Control (C2) endpoint. However, the attackers have implemented a secondary, stealthier exfiltration channel via GitHub. If the malware successfully harvests a valid GitHub token, it can programmatically create new repositories and upload stolen data as files. This “living-off-the-land” approach allows malicious traffic to blend seamlessly with legitimate developer activity.
Furthermore, the malware exhibits worm-like propagation capabilities. It can validate stolen npm credentials to identify further targets, inject malicious code into additional packages, and republish them under the guise of the compromised maintainer. This self-propagating logic creates an exponential growth loop within the npm ecosystem.

Indicators of Compromise (IoCs)
Security teams should monitor for the following indicators within their network and repository logs. Note: Domains and IPs have been defanged for safety.
Network Indicators
t[.]m-kosche[.]comhttps://t[.]m-kosche[.]com:443/api/public/otel/v1/traceshttps://fulcio[.]sigstore[.]dev/api/v2/signingCerthttps://rekor[.]sigstore[.]dev/api/v1/log/entries
GitHub Repository & Metadata Markers
Attackers are using reversed strings and Dune-themed nomenclature to mask their repositories:
niagA oG eW ereH :duluH-iahSniaga og ew ereh :duluh-iahsShai-Hulud: Here We Go Againresults/results-*.json
Repository Naming Patterns
Look for newly created repositories following the pattern: [dune-word]-[dune-word]-[digits]. Examples include:
sayyadina-stillsuit-852atreides-ornithopter-112harkonnen-phibian-552fremen-fedaykin-225kanly-lasgun-874
Disclaimer: IP addresses and domains are intentionally defanged to prevent accidental resolution. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your enterprise SIEM.