Mini Shai-Hulud Pushes Malicious AntV npm Packages via Compromised Maintainer Account

The Mini Shai-Hulud supply chain attack campaign has claimed another victim: researchers have discovered that threat actors compromised the atool npm maintainer account — responsible for publishing a significant portion of the @antv visualization library ecosystem — and used the access to push malicious package versions delivering infostealer payloads and worm injection code to developers' machines.

The @antv suite is a widely used collection of data visualization and graph analysis libraries developed by Ant Group (Alibaba's financial affiliate). Its components power dashboards, graph visualizations, and data analysis tools across thousands of production applications.

The @antv Ecosystem

The @antv (Ant Visualization) namespace on npm encompasses a large suite of interconnected JavaScript libraries for data visualization and graph computation:

@antv/g — a canvas/SVG rendering engine
@antv/g6 — graph visualization and network analysis
@antv/graphin — React-based graph visualization built on G6
@antv/x6 — node-edge diagramming library
@antv/s2 — multi-dimensional data table visualization
@antv/l7 — geospatial data visualization

These packages are used by enterprise applications, analytics platforms, financial dashboards, and developer tools globally, with several packages exceeding hundreds of thousands of weekly downloads.

How the Attack Unfolded

According to The Hacker News, the attack follows the established Mini Shai-Hulud pattern:

Account compromise: Threat actors gained access to the atool npm maintainer account, which has publish rights across multiple @antv packages
Malicious version publication: New versions of affected @antv packages were published containing the dual payload:
- An infostealer component that scans the developer's machine for credentials, tokens, and sensitive configuration files
- A worm injection component that scans for package.json files in nearby projects and, if npm publish credentials are found, republishes infected versions
Propagation: Any developer who installs an infected @antv package and has npm publish credentials stored locally becomes an unwitting participant in spreading the worm further through their own published packages

The attack specifically targets the atool account because it has maintainer access to a broad slice of the @antv ecosystem, meaning a single account compromise enables poisoning of many packages simultaneously.

Payload Analysis

The malicious packages reported by researchers deliver a two-stage payload consistent with the Mini Shai-Hulud campaign's established tooling:

Stage 1: Infostealer

The infostealer component activates at install time (via postinstall lifecycle hook) and targets:

npm tokens — .npmrc files in the home directory and project directories
Shell configuration — .bashrc, .zshrc, and .profile for exported environment variables containing API keys
Git credentials — stored credentials and SSH keys
Cloud provider CLI configs — AWS ~/.aws/credentials, Azure ~/.azure/, GCP ~/.config/gcloud/
IDE and tool configs — VS Code settings, .env files in project directories

Harvested credentials are sent to an attacker-controlled command-and-control server.

Stage 2: Worm Injection

If the infostealer discovers valid npm publish credentials, the worm component:

Scans parent directories for package.json files
Injects itself as a dependency in found project manifests
Attempts to publish new infected versions of any packages the victim maintains
This creates new infection vectors that spread the attack to the victim's downstream package consumers

Affected Packages

The attack affects packages tied to the atool maintainer account within the @antv namespace. Developers should check whether any @antv packages in their dependency tree have versions published around the compromise window (mid-May 2026) and verify integrity via npm's provenance features or by inspecting the published tarball.

Use the following to audit your projects:

# Check for @antv packages in your dependency tree
npm ls | grep '@antv'
 
# Or in package.json
cat package.json | grep '@antv'
 
# Verify package integrity
npm audit

Immediate Response Steps

For Developers Who Installed @antv Packages

1. Determine your exposure window

Check when you last ran npm install and whether any @antv packages were installed or updated during the compromise period.

2. Revoke npm tokens immediately

# List your npm tokens
npm token list
 
# Revoke all tokens (you will need to log in again)
npm token revoke <token-id>
 
# Or revoke all at once via the npm website: npmjs.com → Account Settings → Access Tokens

3. Rotate cloud and API credentials

Assume any credentials stored in your shell config, .npmrc, or environment variables are compromised. Rotate:

AWS/Azure/GCP credentials
GitHub Personal Access Tokens
Any service API keys referenced in .env files or shell exports

4. Audit recently published packages

If you maintain npm packages, immediately check your published versions for unauthorized modifications:

# Compare latest published package with your local source
npm pack --dry-run
npm diff <package-name>@<version>

5. Enable npm 2FA

Require two-factor authentication for all publish operations:

npm profile enable-2fa auth-and-writes

For Organizations

Block or review @antv installs in your npm private registry or Artifactory until affected versions are identified and removed
Require package provenance — npm now supports linking published packages to verified GitHub Actions workflows, making supply chain attacks easier to detect
Implement CI/CD secret isolation — ensure CI/CD environments do not have access to production npm publish credentials
Apply allowlisting in your private registry for @antv packages, requiring manual approval for new versions during the incident period

The Ongoing Mini Shai-Hulud Campaign

This attack is the latest in the Mini Shai-Hulud campaign wave that began with the TeamPCP group's compromise of TanStack packages in April 2026. Since TeamPCP publicly released the Shai-Hulud worm source code on May 15, 2026, the number of independent actors deploying variants has accelerated significantly.

Previous confirmed Mini Shai-Hulud targets include:

TanStack query, router, and form packages
Mistral AI npm packages (source code subsequently advertised for sale)
Guardrails AI Python packages
Checkmarx Jenkins AST plugin
PyTorch Lightning and Intercom client packages
Various SAP-related npm packages

The @antv compromise demonstrates that the campaign is broadening from individual high-profile packages to entire ecosystem namespaces — a shift that dramatically increases the potential blast radius of each attack.

npm Ecosystem Response

npm (GitHub) has been notified and is working to remove the malicious package versions. Package provenance enforcement and improved tag integrity features are being discussed as ecosystem-level mitigations.

However, the fundamental tension remains: npm's design prioritizes developer convenience over security, and the ability to publish new package versions through a compromised maintainer account with no additional verification creates a systemic vulnerability that individual package hardening cannot fully address.

References

The @antv Ecosystem

The @antv (Ant Visualization) namespace on npm encompasses a large suite of interconnected JavaScript libraries for data visualization and graph computation:

@antv/g — a canvas/SVG rendering engine
@antv/g6 — graph visualization and network analysis
@antv/graphin — React-based graph visualization built on G6
@antv/x6 — node-edge diagramming library
@antv/s2 — multi-dimensional data table visualization
@antv/l7 — geospatial data visualization

These packages are used by enterprise applications, analytics platforms, financial dashboards, and developer tools globally, with several packages exceeding hundreds of thousands of weekly downloads.

How the Attack Unfolded

According to The Hacker News, the attack follows the established Mini Shai-Hulud pattern:

Account compromise: Threat actors gained access to the atool npm maintainer account, which has publish rights across multiple @antv packages
Malicious version publication: New versions of affected @antv packages were published containing the dual payload:
- An infostealer component that scans the developer's machine for credentials, tokens, and sensitive configuration files
- A worm injection component that scans for package.json files in nearby projects and, if npm publish credentials are found, republishes infected versions
Propagation: Any developer who installs an infected @antv package and has npm publish credentials stored locally becomes an unwitting participant in spreading the worm further through their own published packages

Payload Analysis

The malicious packages reported by researchers deliver a two-stage payload consistent with the Mini Shai-Hulud campaign's established tooling:

Stage 1: Infostealer

The infostealer component activates at install time (via postinstall lifecycle hook) and targets:

npm tokens — .npmrc files in the home directory and project directories
Shell configuration — .bashrc, .zshrc, and .profile for exported environment variables containing API keys
Git credentials — stored credentials and SSH keys
Cloud provider CLI configs — AWS ~/.aws/credentials, Azure ~/.azure/, GCP ~/.config/gcloud/
IDE and tool configs — VS Code settings, .env files in project directories

Harvested credentials are sent to an attacker-controlled command-and-control server.

Stage 2: Worm Injection

If the infostealer discovers valid npm publish credentials, the worm component:

Scans parent directories for package.json files
Injects itself as a dependency in found project manifests
Attempts to publish new infected versions of any packages the victim maintains
This creates new infection vectors that spread the attack to the victim's downstream package consumers

Affected Packages

Use the following to audit your projects:

# Check for @antv packages in your dependency tree
npm ls | grep '@antv'
 
# Or in package.json
cat package.json | grep '@antv'
 
# Verify package integrity
npm audit

Immediate Response Steps

For Developers Who Installed @antv Packages

1. Determine your exposure window

Check when you last ran npm install and whether any @antv packages were installed or updated during the compromise period.

2. Revoke npm tokens immediately

# List your npm tokens
npm token list
 
# Revoke all tokens (you will need to log in again)
npm token revoke <token-id>
 
# Or revoke all at once via the npm website: npmjs.com → Account Settings → Access Tokens

3. Rotate cloud and API credentials

Assume any credentials stored in your shell config, .npmrc, or environment variables are compromised. Rotate:

AWS/Azure/GCP credentials
GitHub Personal Access Tokens
Any service API keys referenced in .env files or shell exports

4. Audit recently published packages

If you maintain npm packages, immediately check your published versions for unauthorized modifications:

# Compare latest published package with your local source
npm pack --dry-run
npm diff <package-name>@<version>

5. Enable npm 2FA

Require two-factor authentication for all publish operations:

npm profile enable-2fa auth-and-writes

For Organizations

Block or review @antv installs in your npm private registry or Artifactory until affected versions are identified and removed
Require package provenance — npm now supports linking published packages to verified GitHub Actions workflows, making supply chain attacks easier to detect
Implement CI/CD secret isolation — ensure CI/CD environments do not have access to production npm publish credentials
Apply allowlisting in your private registry for @antv packages, requiring manual approval for new versions during the incident period

The Ongoing Mini Shai-Hulud Campaign

Previous confirmed Mini Shai-Hulud targets include:

TanStack query, router, and form packages
Mistral AI npm packages (source code subsequently advertised for sale)
Guardrails AI Python packages
Checkmarx Jenkins AST plugin
PyTorch Lightning and Intercom client packages
Various SAP-related npm packages

Mini Shai-Hulud Pushes Malicious AntV npm Packages via Compromised Maintainer Account

The @antv Ecosystem

How the Attack Unfolded

Payload Analysis

Stage 1: Infostealer

Stage 2: Worm Injection

Affected Packages

Immediate Response Steps

For Developers Who Installed @antv Packages

For Organizations

The Ongoing Mini Shai-Hulud Campaign

npm Ecosystem Response

References

Trivy Hack Spreads Infostealer via Docker, Triggers Worm and Kubernetes Wiper

Four Malicious npm Packages Deliver Infostealers and Phantom Bot DDoS Malware

Shai-Hulud Worm Clones Spread After Code Release

Mini Shai-Hulud Pushes Malicious AntV npm Packages via Compromised Maintainer Account

The @antv Ecosystem

How the Attack Unfolded

Payload Analysis

Stage 1: Infostealer

Stage 2: Worm Injection

Affected Packages

Immediate Response Steps

For Developers Who Installed @antv Packages

For Organizations

The Ongoing Mini Shai-Hulud Campaign

npm Ecosystem Response

References

Trivy Hack Spreads Infostealer via Docker, Triggers Worm and Kubernetes Wiper

Four Malicious npm Packages Deliver Infostealers and Phantom Bot DDoS Malware

Shai-Hulud Worm Clones Spread After Code Release