Mini Shai Hulud: Compromised @antv npm packages enable CI/CD credential theft
Microsoft identified an active supply chain attack targeting the @antv npm package ecosystem. A threat actor compromised an @antv maintainer account and published malicious versions of popular data-visualization packages, including echarts-for-react. The malicious payload executes silently during npm install and is designed to steal credentials from CI/CD environments such as GitHub Actions. It supports multi-platform credential theft, privilege escalation, and data exfiltration. Over 2,200 repositories were compromised, prompting GitHub to remove malicious packages and invalidate npm tokens. The attack specifically targets CI/CD pipelines and cloud workloads.
AI Analysis
Technical Summary
This campaign involves a supply chain attack on the @antv npm package ecosystem where an attacker compromised a maintainer account to publish malicious package versions. These packages contain a 499 KB obfuscated JavaScript payload that executes during npm install, targeting CI/CD environments, particularly GitHub Actions. The payload steals credentials across multiple platforms including GitHub, AWS, HashiCorp Vault, npm, Kubernetes, and 1Password. It employs techniques such as GitHub Action Runner process memory scraping, privilege escalation, dual-channel data exfiltration, and SLSA provenance forgery. The attack propagated through dependency chains into CI/CD pipelines and cloud workloads, affecting over 2,200 repositories. GitHub responded by removing 640 malicious packages and invalidating over 61,000 npm tokens to mitigate the threat.
Potential Impact
The attack enables theft of sensitive credentials from CI/CD pipelines and cloud workloads, potentially allowing unauthorized access to GitHub, AWS, HashiCorp Vault, npm, Kubernetes, and other services. This can lead to further compromise of development and deployment environments. Over 2,200 repositories were compromised, indicating widespread impact within the npm ecosystem. GitHub's removal of malicious packages and token invalidation mitigated further exploitation. No known exploits in the wild beyond the observed campaign have been reported.
Mitigation Recommendations
GitHub has removed 640 malicious packages from the npm registry and invalidated 61,274 npm tokens to disrupt the attack. Users should ensure they are not using compromised versions of @antv packages, especially echarts-for-react. It is recommended to audit dependencies for malicious versions and rotate any potentially exposed credentials used in CI/CD environments. Since this is a supply chain attack, verifying package provenance and using tools that enforce supply chain security best practices (e.g., SLSA compliance) is advised. Patch status is not explicitly confirmed; users should consult the vendor advisory and npm registry for updated safe package versions.
Indicators of Compromise
- domain: t.m-kosche.com
- hash: fb5c97557230a27460fdab01fafcfabeaa49590bafd5b6ef30501aa9e0a51142
- hash: 7cb42f57561c321ecb09b4552802ae0ac55b3a7a
- url: http://t.m-kosche.com:443
- hash: 7f44e4ba6f6a71bd0f789e7f83bd3104
- hash: 8f8f24b6bc727e18295feaad45d17b44
- hash: 19b62ae4f76273645e36a60e7b7d23c05c16b395
- hash: a68dd1e6a6e35ec3771e1f94fe796f55dfe65a2b94560516ff4ac189390dfa1c
- hash: a8269c01069452afb8a54de904e6419578d155fdbdb9e566bab8576a4266b61e
Mini Shai Hulud: Compromised @antv npm packages enable CI/CD credential theft
Description
Microsoft identified an active supply chain attack targeting the @antv npm package ecosystem. A threat actor compromised an @antv maintainer account and published malicious versions of popular data-visualization packages, including echarts-for-react. The malicious payload executes silently during npm install and is designed to steal credentials from CI/CD environments such as GitHub Actions. It supports multi-platform credential theft, privilege escalation, and data exfiltration. Over 2,200 repositories were compromised, prompting GitHub to remove malicious packages and invalidate npm tokens. The attack specifically targets CI/CD pipelines and cloud workloads.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This campaign involves a supply chain attack on the @antv npm package ecosystem where an attacker compromised a maintainer account to publish malicious package versions. These packages contain a 499 KB obfuscated JavaScript payload that executes during npm install, targeting CI/CD environments, particularly GitHub Actions. The payload steals credentials across multiple platforms including GitHub, AWS, HashiCorp Vault, npm, Kubernetes, and 1Password. It employs techniques such as GitHub Action Runner process memory scraping, privilege escalation, dual-channel data exfiltration, and SLSA provenance forgery. The attack propagated through dependency chains into CI/CD pipelines and cloud workloads, affecting over 2,200 repositories. GitHub responded by removing 640 malicious packages and invalidating over 61,000 npm tokens to mitigate the threat.
Potential Impact
The attack enables theft of sensitive credentials from CI/CD pipelines and cloud workloads, potentially allowing unauthorized access to GitHub, AWS, HashiCorp Vault, npm, Kubernetes, and other services. This can lead to further compromise of development and deployment environments. Over 2,200 repositories were compromised, indicating widespread impact within the npm ecosystem. GitHub's removal of malicious packages and token invalidation mitigated further exploitation. No known exploits in the wild beyond the observed campaign have been reported.
Mitigation Recommendations
GitHub has removed 640 malicious packages from the npm registry and invalidated 61,274 npm tokens to disrupt the attack. Users should ensure they are not using compromised versions of @antv packages, especially echarts-for-react. It is recommended to audit dependencies for malicious versions and rotate any potentially exposed credentials used in CI/CD environments. Since this is a supply chain attack, verifying package provenance and using tools that enforce supply chain security best practices (e.g., SLSA compliance) is advised. Patch status is not explicitly confirmed; users should consult the vendor advisory and npm registry for updated safe package versions.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://www.microsoft.com/en-us/security/blog/2026/05/20/mini-shai-hulud-compromised-antv-npm-packages-enable-ci-cd-credential-theft/"]
- Adversary
- null
- Pulse Id
- 6a0e3751a23f1487cbb26ac5
- Threat Score
- null
Indicators of Compromise
Domain
| Value | Description | Copy |
|---|---|---|
domaint.m-kosche.com | — |
Hash
| Value | Description | Copy |
|---|---|---|
hashfb5c97557230a27460fdab01fafcfabeaa49590bafd5b6ef30501aa9e0a51142 | — | |
hash7cb42f57561c321ecb09b4552802ae0ac55b3a7a | — | |
hash7f44e4ba6f6a71bd0f789e7f83bd3104 | — | |
hash8f8f24b6bc727e18295feaad45d17b44 | — | |
hash19b62ae4f76273645e36a60e7b7d23c05c16b395 | — | |
hasha68dd1e6a6e35ec3771e1f94fe796f55dfe65a2b94560516ff4ac189390dfa1c | — | |
hasha8269c01069452afb8a54de904e6419578d155fdbdb9e566bab8576a4266b61e | — |
Url
| Value | Description | Copy |
|---|---|---|
urlhttp://t.m-kosche.com:443 | — |
Threat ID: 6a0f367de1370fbb481d2722
Added to database: 5/21/2026, 4:44:45 PM
Last enriched: 5/21/2026, 4:59:49 PM
Last updated: 5/21/2026, 5:50:52 PM
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.