Mini Shai-Hulud Targets 323 npm Packages via @antv
馃毃 Active supply chain attack compromises @antv npm packages, deploying credential stealers in a 300+ package wave. 馃洜 Patch immediately if running affected versions. 馃暤 Mini Shai-Hulud campaign linked to ongoing exploitation.
What Happened
A coordinated supply chain attack compromised the @antv npm packages, deploying a credential-stealing payload across 323 packages in the AntV data visualization ecosystem. The attack, tied to the Mini Shai-Hulud campaign, leveraged a compromised maintainer account to automate the release of malicious versions.
The compromised packages included both legitimate and malicious versions, with attackers embedding obfuscated backdoors and stealers. Socket.dev detected malicious node-ipc versions with behavior resembling credential theft, while Snyk reported over 300 malicious packages published in a 24-hour window.
The attack鈥檚 scale and speed suggest pre-planned automation, with attackers exploiting the npm ecosystem鈥檚 trust model to distribute payloads. CISA added the vulnerability to its KEV catalog, highlighting the risk of active exploitation.
How the Compromise Happened
The attack began with the compromise of a maintainer account for the @antv project. Once accessed, the attacker triggered an automated script that published hundreds of malicious package versions across 323 packages.
The script exploited npm鈥檚 publish mechanism, allowing the attacker to inject malicious code into legitimate-looking packages. Each malicious version included a payload designed to steal credentials or execute arbitrary code.
The attack鈥檚 automation suggests pre-planned infrastructure, with the attacker using a compromised account to bypass npm鈥檚 rate limits and security checks. This method allowed the attacker to rapidly deploy payloads without triggering immediate detection.
Affected Packages and Versions
The attack targeted the AntV ecosystem, which includes multiple npm packages used for data visualization. Key affected packages include:
@antv/g2plot@antv/g@antv/data@antv/chart
Each package was published with a malicious version that included a backdoor. The malicious versions were identical to legitimate ones, making detection difficult without audit checks.
The Snyk blog notes that the attacker used a compromised maintainer account to publish these versions, leveraging the trust associated with the @antv brand. This tactic allowed the attacker to bypass many security controls.
Exploitation Status
Active exploitation is confirmed. The malicious packages were published and distributed to users who installed them via npm. The payloads included a credential stealer, which exfiltrates user credentials to a remote server.
The CISA advisory highlights the vulnerability as a known exploited vulnerability, emphasizing the need for immediate patching. The attack鈥檚 scale and speed suggest that the payload may have already been deployed to a significant number of systems.
The Snyk blog warns that the attack is part of a broader Mini Shai-Hulud campaign, which has targeted other npm packages, including SAP-related projects. This indicates a coordinated effort to exploit supply chain trust.
Detection Opportunities
Defenders can use the following methods to detect exposure:
# Check for suspicious npm package versions
npm audit --json | grep -i "vulnerable"
# Sigma detection rule for credential stealer activity
title: Suspicious npm Package Execution
logsource:
product: npm
detection:
selection:
package_name: "@antv/*"
version: ">=1.2.0"
command_line: "npm install"
condition: selection
Monitoring npm audit logs and checking for unexpected package versions is critical. The Snyk blog recommends using their free tools to scan for vulnerable dependencies.
Defensive Guidance
Organizations should take the following steps to mitigate risk:
- Audit npm dependencies: Use
npm auditto check for vulnerable packages. - Block suspicious packages: Configure npm to reject packages from untrusted sources.
- Monitor for unusual activity: Check npm logs for unexpected package installations.
- Update to patched versions: Ensure all npm packages are updated to versions released after the attack.
The CISA advisory emphasizes the importance of patching known exploited vulnerabilities. Organizations should prioritize updating to the latest versions of affected packages.
Timeline
- May 14, 2026: Socket.dev detects malicious node-ipc versions with obfuscated stealers.
- May 15, 2026: Snyk reports over 300 malicious @antv packages published via a compromised maintainer account.
- May 15, 2026: CISA adds the vulnerability to its KEV catalog, highlighting active exploitation.
- May 16, 2026: Siemens releases a patch for the gWAP vulnerability, linked to the same attack vector.
Why This Matters
The attack underscores the risks of supply chain vulnerabilities, particularly in widely used npm packages. By compromising a maintainer account, attackers bypassed traditional security controls, exploiting the trust users place in package repositories.
The scale of the attack-over 300 malicious packages published in 24 hours-demonstrates the potential for rapid, widespread exploitation. This method could be replicated against other npm projects, making supply chain security a critical priority.
What Remains Unclear
- Attribution: While the attack is linked to Mini Shai-Hulud, no definitive attribution has been confirmed.
- Impact scope: The number of systems affected by the credential stealer is not yet known.
- Long-term effects: The full impact of the attack on the npm ecosystem and its users remains under investigation.
Sources
- https://socket.dev/blog/antv-packages-compromised
- https://snyk.io/blog/mini-shai-hulud-antv-npm-supply-chain-attack/
- https://www.cisa.gov/news-events/alerts/2026/05/15/cisa-adds-one-known-exploited-vulnerability-catalog
- https://www.cisa.gov/news-events/ics-advisories/icsa-26-134-01
- https://www.sophos.com/en-us/blog/-mini-shai-hulud-supply-chain-attack-targets-sap-npm-packages
