Press TechRound interviews Secure.com CEO on the future of AI security
Read
Published: May 19, 2026 4 min read

Mini Shai-Hulud Strikes Again: 314 @antv npm Packages Hijacked in 22-Minute Burst

A new npm supply chain attack compromised 314 @antv packages, stealing developer credentials and spreading like a worm across npm.

By Secure.com

Dateline: May 19, 2026

TeamPCP’s Mini Shai-Hulud Worm Just Poisoned the @antv Ecosystem. Check Your Lockfile.

Another week, another npm crisis. On May 19, attackers hijacked a single maintainer account and pushed 631 malicious versions across 314 packages in just 22 minutes, dragging the popular @antv data visualization ecosystem into the latest wave of the Mini Shai-Hulud worm. Anyone who ran an install during that window may have already lost their credentials.

What Happened?

Socket’s Threat Research team flagged the attack while it was still in progress. The compromised account, npm maintainer atool, was used to publish trojanized versions of @antv packages including @antv/g2, @antv/g6, @antv/x6, @antv/l7, @antv/s2, @antv/f2, @antv/g2plot, @antv/graphin, and @antv/data-set. Related packages outside the namespace were also hit, among them echarts-for-react (around 1.1 million weekly downloads), size-sensor, timeago.js, and canvas-nest.js.

The technique matches Mini Shai-Hulud, a self-replicating worm linked to the financially motivated group TeamPCP. Once a developer installs a poisoned version, a preinstall hook fires a 498KB obfuscated Bun script. The payload then sweeps the machine for AWS, GCP, Azure, GitHub, npm, SSH, Kubernetes, Vault, Stripe, and database credentials, plus .env files. Stolen secrets are exfiltrated by committing them as Git objects to public GitHub repositories. The malware also attempts a Docker container escape via the host socket.

Worse, the worm spreads on its own. After harvesting an npm token, it enumerates every package the victim controls, injects itself, and republishes infected versions automatically. According to SafeDep, 630 of the 631 malicious versions also planted an optionalDependency pointing to imposter commits inside the legitimate antvis/G2 GitHub repository, giving the payload a second delivery path that looks completely trustworthy.

The Impact

This is the fifth major ecosystem hit in two weeks, following recent compromises of TanStack, OpenAI, Mistral AI, and Hugging Face-themed packages. Two OpenAI employee devices were caught in the TanStack wave alone, prompting the company to rotate macOS code-signing certificates. Mistral AI confirmed attackers reached non-core code repositories. Total reach across the recent waves runs into millions of weekly downloads.

For any team that pulled affected versions, the exposure is serious: leaked cloud keys, stolen GitHub PATs, compromised CI/CD pipelines, and the chance of attackers republishing your own packages under your name. The latest variants also wipe the user’s home directory if exfiltration fails.

How to Avoid This

  • Audit recent installs and lockfiles. Search for any @antv package, echarts-for-react, size-sensor, timeago.js, or canvas-nest.js pulled on or after May 19, 2026. Pin to known-good versions.
  • Rotate everything. If a compromised version touched your environment, rotate npm tokens, GitHub PATs, AWS keys, SSH keys, and any secrets stored in .env files.
  • Block bun preinstall hooks you didn’t sanction. The payload requires Bun to execute, so flag unexpected Bun processes during installs.
  • Use cooldown policies. Block newly published package versions from being installed for 24 to 72 hours so malicious bursts can be caught before they reach your pipeline.
  • Enforce lockfile-only installs in CI and require integrity hashes for every dependency.
  • Hunt for unauthorized GitHub repos created under your org and for unexpected outbound traffic to suspicious C2 domains.

Supply Chain Attacks Are Faster Than Your Triage Queue. Fix That.

When 314 packages get poisoned in 22 minutes, manual review isn’t going to save you. Secure.com gives lean security teams the leverage to catch these incidents before they spread.

  • AI-powered triage that filters noise and surfaces real supply chain signals across your stack
  • Automated enrichment that pulls context from EDR, cloud, identity, and CI/CD logs in seconds
  • Risk-based prioritization that weighs asset sensitivity, not just severity
  • Drag-and-drop workflows for containment, token rotation, and stakeholder alerts
  • Clean case management with full audit trails for incident reviews and compliance

Other News