The Mini Shai-Hulud Worm and the Weaponization of Sigstore Provenance
The npm ecosystem is facing a sophisticated new evolution of the Mini Shai-Hulud malware. This latest campaign has successfully compromised over 600 packages, utilizing advanced evasion techniques that exploit the very trust mechanisms designed to secure the software supply chain. By forging Sigstore provenance, the attackers have managed to bypass traditional automated security gates.
The primary blast radius was centered on the @antv ecosystem, though the infection quickly metastasized into other widely utilized developer tools and libraries. The attack was characterized by its surgical precision and extreme velocity, executing a massive wave of malicious publishes within a narrow 27-minute window (01:39 to 02:06 UTC).
The threat actors utilized a “dormant package” strategy, targeting neglected repositories like jest-canvas-mock and size-sensor. Because these packages had seen little activity for years, they provided an ideal, low-friction entry point for injecting malicious code and initiating lateral propagation across the registry.
From these initial footholds, a worm-like mechanism spread through dozens of @antv packages—essential components for data visualization and graph rendering—as well as utilities under the @lint-md and @openclaw-cn namespaces. Security researchers from Endor Labs and Socket identified the campaign on May 19, 2026. While initially detecting 42 malicious packages, the scope rapidly ballooned to at least 633 compromised versions across hundreds of unique packages.
🚨 BREAKING: Socket is investigating an active npm supply chain attack compromising hundreds of packages in the @antv ecosystem. The malicious publish wave appears tied to Mini Shai-Hulud and packages connected to the npm maintainer account atool.
Technical Breakdown: Weaponizing Verified Provenance
Perhaps the most alarming technical aspect of this campaign is the abuse of the Sigstore framework. Rather than attempting to bypass cryptographic checks, the malware co-opts them. The malware dynamically generates valid signing certificates via Fulcio and records these entries in Rekor transparency logs.
To a developer or an automated CI/CD scanner, these packages appear perfectly legitimate, sporting the “verified” provenance badges that are intended to signal security. However, these signatures only prove that a build occurred under certain credentials; they do not prove that the original maintainer authorized the code change. In this instance, the attackers used stolen credentials and CI/CD tokens to produce seemingly authentic, cryptographically signed builds.
The malware utilizes two primary delivery vectors to ensure execution:
- Phantom Dependency Injection: The attackers leverage
optionalDependenciesthat reference specific GitHub commits. This triggers a hidden payload during thenpm installlifecycle. The payload executes and then fails silently, ensuring that the malicious code does not remain in thenode_modulesdirectory, effectively leaving no forensic footprint in the local filesystem. - Embedded Payload Execution: High-impact packages (such as
@antv/l7-core) include an obfuscatedindex.jsfile. This is triggered via apreinstallscript, ensuring the malicious logic runs before the dependency resolution process is even complete.
"preinstall": "bun run index.js"
Credential Exfiltration and Persistence Mechanisms
The Mini Shai-Hulud payload is a specialized harvester designed to target high-value secrets within developer workstations and automated pipelines. Its primary targets include:
- GitHub and npm authentication tokens.
- AWS credentials via the Instance Metadata Service (IMDS) endpoints.
- Google Cloud service account keys.
- HashiCorp Vault tokens and various CI/CD environment secrets.
To maintain a foothold, the malware modifies local configuration files, such as .vscode/tasks.json and .claude/settings.json. These modifications allow the malware to re-execute itself even after the original malicious package has been uninstalled.
Exfiltration has also become significantly stealthier. Unlike earlier variants that used obvious HTTP requests, this wave utilizes encrypted channels to blend in with standard network traffic:
- Session-based peer-to-peer (P2P) traffic over HTTPS.
- Payload encryption using AES-256-GCM and RSA-OAEP.
- The use of public GitHub repositories as “dead-drop” storage for stolen data.
Mitigation and Incident Response
Given the sophistication of this attack, organizations should treat any installation of a package from the affected namespaces on May 19, 2026, as a high-severity incident. We recommend the following immediate actions:
- Freeze Dependencies: Avoid updating or installing new packages in the @antv or related namespaces. Pin your dependencies to known-safe versions.
- Audit Installation Scripts: Utilize
npm install --ignore-scriptsto prevent lifecycle hooks from executing during development or builds. - Credential Rotation: If a compromise is suspected, rotate all GitHub tokens, npm tokens, AWS keys, and Cloud provider secrets immediately.
- Enhanced Monitoring: Watch for anomalous outbound traffic to unusual domains or unexpected activity in your CI/CD pipelines.
Indicators of Compromise (IoCs)
File System Indicators
| File / Path | Technical Notes |
|---|---|
index.js (at package root) |
~500KB obfuscated payload. SHA-256 for @antv/l7-core: a68dd1e6a6e35ec3771e1f94fe796f55dfe65a2b94560516ff4ac189390dfa1c |
<project>/.claude/settings.json |
Look for unauthorized SessionStart hooks. |
<project>/.vscode/tasks.json |
Look for suspicious "runOn": "folderOpen" entries. |
<project>/.github/workflows/format-check.yml |
Injected workflows designed for secrets exfiltration. |
Network and Registry Indicators
| Indicator | Notes |
|---|---|
filev2.getsession[.]org/file/ |
Primary P2P exfiltration channel (TCP/443). |
github:antvis/G2#... (in optionalDependencies) |
“Phantom commits” used for silent dependency injection. |
@antv/setup |
A non-existent package used as a malicious optionalDependency. |
Code-Level Markers
| Marker | Functionality |
|---|---|
__DAEMONIZED |
Re-entrancy guard to prevent multiple simultaneous executions. |
169.254.169.254 |
AWS IMDSv2 endpoint targeted for credential harvesting. |
VAULT_TOKEN |
Plaintext string used to identify HashiCorp Vault secrets. |