The Mini Shai-Hulud worm has resurfaced in one of its largest single-registry waves to date, hitting hundreds of npm packages tied to the AntV data visualization ecosystem in a coordinated burst lasting around an hour.
According to new analysis by Socket’s Threat Research Team, the attack began around 01:56 UTC on May 19 and pushed 639 malicious versions across 323 unique packages before stopping roughly an hour later.
Microsoft, which has previously published Defender protection guidance for the broader Mini Shai-Hulud campaign, has also provided updates from its own investigation into the new supply chain attack via X on Tuesday, May 19.
Several affected packages are high-download npm dependencies, including echarts-for-react, size-sensor, @antv/scale, and timeago.js, among others. The compromised npm maintainer account, “atool,” held publish rights to more than 500 packages.
Compromised Account, Familiar Playbook
Each malicious version added a preinstall hook to package.json that executes a 498 KB obfuscated Bun bundle, harvesting cloud credentials, CI/CD tokens, SSH keys, Kubernetes service account tokens and local password manager vaults.
The payload exfiltrated stolen data through public GitHub repositories created using stolen tokens, named after Dune universe terminology with descriptions containing a reversed marker reading “Shai-Hulud: Here We Go Again.”
Avital Harel, security research lead at Upwind, said the operation appeared mature and defender-aware, with attackers anticipating the tools used to detect and analyze malware.
“The campaign was not only built to spread, but also to slow down analysis,” she explained.
Read more on this campaign: Mini Shai-Hulud Hits TanStack npm Packages
Socket described the tradecraft as consistent with a “high-volume npm compromise pattern involving coordinated malicious publishes.”
Across all waves, the company has tracked 1055 compromised versions across 502 unique packages spanning npm, PyPI and Composer.
StepSecurity, which has logged more than 2500 GitHub repositories containing campaign markers, attributed the wider activity to a financially motivated cluster known as TeamPCP.
Trusted-Repo Hosting via Imposter Commits
The AntV wave extended a payload-delivery technique used in earlier waves. The vast majority of malicious versions inject an optionalDependencies entry pointing to orphan commits, this time planted in an unrelated trusted repository, antvis/G2, with forged authorship matching a real maintainer of that project to discourage closer inspection.
GitHub stores commits in a shared object pool across a repository’s fork network, and npm’s github: resolver fetches by commit hash without checking which fork a commit lives on. That lets an attacker push a commit to their own fork of antvis/G2 and have it served from the parent repo’s URL.
Isaac Evans, founder and CEO of software security firm Semgrep, said the cascade reflects a structural problem with how dependencies are trusted.
“A package you have trusted for years can suddenly become the delivery mechanism,” he warned.
Snyk advised that affected organizations treat any secret accessible during installation as compromised, including organization-scoped GitHub Actions secrets and OIDC tokens.
Recommended steps include pinning dependencies to versions published before May 19, rotating all credentials exposed to affected build environments and auditing GitHub accounts for unauthorized repository creation matching the campaign’s Dune-themed naming pattern and reversed-string description marker.
