Mini Shai‑Hulud Worm Trojans Dozens of @antv npm Packages

Security researchers report that attackers who gained control of the npm maintainer account ‘atool’ pushed trojanized releases of dozens of @antv packages and related modules, inserting a credential‑stealing payload into widely used libraries.

Analysts counted roughly 639 malicious package versions published across 323 unique packages, including about 558 versions across 279 packages in the @antv namespace. Affected modules include charting and visualization libraries such as @antv/g2, @antv/g6, @antv/x6, @antv/l7, @antv/s2, @antv/f2, @antv/g, @antv/g2plot, @antv/graphin and @antv/data‑set, plus popular non‑@antv modules such as echarts‑for‑react, timeago.js, size‑sensor and canvas‑nest.js. Echarts‑for‑react registers roughly 1.1 million weekly downloads.

The injected malware harvests more than 20 types of credentials, including cloud provider keys for Amazon Web Services, Google Cloud and Microsoft Azure, GitHub and npm tokens, SSH keys, Kubernetes credentials, Vault secrets, Stripe keys and database connection strings. The payload attempts to escape Docker containers by accessing the host socket.

Collected data is serialized, compressed, encrypted and sent to the command‑and‑control endpoint at t.m‑kosche[.]com:443. If exfiltration over that channel fails, the code can use stolen GitHub tokens to create public repositories in victims’ accounts and commit the stolen data as JSON files. Those repositories include a description text that reverses to “Shai‑Hulud: Here We Go Again,” a marker now found in more than 2,200 GitHub repositories.

Researchers describe how the attackers abused stolen npm credentials to propagate inside the registry. The workflow validates tokens with the npm API, enumerates packages owned by the compromised account, downloads package tarballs, injects the stealer, adds a preinstall hook that runs ‘bun run index.js’, increments package versions and republishes the tampered packages under the maintainer’s identity. Many compromised releases also added an optionalDependencies entry that pulled a second copy of the payload from imposter commits in the antvis/G2 GitHub repository.

One security firm observed a rapid, automated burst in which 314 packages and more than 600 versions were published within about 22 minutes with an identical obfuscated payload. That pattern is consistent with the self‑replicating Mini Shai‑Hulud campaign moving quickly through open‑source registries.

Attribution traces the original self‑replicating framework to a financially motivated actor referred to by researchers as TeamPCP. TeamPCP published the framework’s source code and announced a contest, after which other actors uploaded at least four malicious npm packages that mirror the worm’s behavior. One of those packages contains a near‑verbatim copy of the worm and operates with a separate command‑and‑control infrastructure.

Security teams caution that the campaign leverages two execution paths to ensure delivery of the stealer and that open‑sourcing the offensive framework has lowered the barrier for copycat attacks. One firm noted that the publishing account involved is connected to widely used packages across data visualization and React component ecosystems and warned that even a subset of malicious updates creates downstream exposure for organizations that automatically update dependencies.

Another vendor described the operation as designed for large‑scale credential theft and pointed to automated development workflows-cloud‑connected CI runners, GitHub Actions, package registries and container registries-as environments directly exposed when trusted packages are trojanized.