Threat actors have published more than 600 malicious packages to the **Node Package Manager (npm)** index as part of a new **Shai-Hulud** supply-chain campaign. Most of the affected packages are in the `@antv` ecosystem, which includes libraries for charting, graph visualization, building flowcharts, and mapping. However, popular packages outside this namespace have also been compromised. ### One-hour attack As in the previous **Shai-Hulud** campaign impacting **TanStack** and **Mistral** packages, the payload collects secrets from developer and CI/CD environments and exfiltrates them over the Session P2P network to complicate detection and takedown efforts. The threat actor also used **GitHub** as a fallback exfiltration mechanism and published stolen data in repositories under victims' accounts when tokens used for publishing were found. According to application security company **Socket**, the hackers published 639 malicious versions across 323 unique packages in about one hour on May 19, between 01:56 UTC and 02:56 UTC. The attack started with compromising the npm account `atool`, which publishes the packages in the `@antv` namespace. Some of the impacted libraries include: * echarts-for-react * @antv/g2 * @antv/g6 * @antv/x6 * @antv/l7 * @antv/g2plot * @antv/graphin * timeago.js * size-sensor * canvas-nest.js **Endor Labs** researchers highlight that some of the packages (e.g., timeago.js, size-sensor, and jest-canvas-mock) had not received a legitimate update for a long time and were less likely to have their OIDC trusted publishing security feature configured. For instance, although the *jest-canvas-mock* still has 10 million monthly downloads, it has been dormant for about 3 years. **Socket** researchers maintain a list of package artifacts affected by all **Shai-Hulud** attacks, which has grown to more than 1,000 entries. The **Shai-Hulud** campaigns started last September and continue to affect multiple software ecosystems, such as npm, PyPI, and Composer, to a lesser degree. ### Publishing to GitHub The malware compromises maintainer accounts or publishing tokens to push legitimate packages with malicious code that steals developer and CI/CD secrets, and can spread to other projects using the stolen credentials. The latest wave involves the injection of a heavily obfuscated ‘index.js’ payload that attempts to steal **GitHub**, npm, cloud, Kubernetes, Vault, Docker, database, and SSH credentials. It primarily targets developer workstations and CI/CD environments, including **GitHub Actions**, GitLab CI, Jenkins, Azure DevOps, CircleCI, Vercel, Netlify, and other build platforms. The stolen data is serialized, Gzip-compressed, AES-256-GCM-encrypted, and RSA-OAEP-wrapped to make network inspection harder. When **GitHub** credentials are available, the malware uses the **GitHub** API to automatically create new repositories under the victim’s account and upload the stolen data to them. Repos published as a result of this attack have a Readme file with the string `niaga og ew ereh :duluh-iahs`, which is the reverse of *Shai-Hulud: Here We Go Again*, a phrase used in the **Shai-Hulud** malware leak last week. A report from software security platform **Aikido** notes that there are more than 2,700 rogue repositories on **GitHub** matching the campaign’s markers. A search before publishing this article shows that there are currently at least 2,900 **GitHub** repositories generated by the latest **Shai-Hulud** supply-chain campaign.  The main exfiltration channel, though, is to *filev2.getsession[.]org/file/* via the Session P2P network. the *t.m-kosche.com* endpoint for shipping the stolen credentials. "On the wire this is end-to-end-encrypted traffic on TCP/443, indistinguishable from legitimate Session app traffic at the network layer. There is no traditional C2 [command-and-control] endpoint to block by hostname or IP," **Endor Labs** researchers say. ### Legit-looking package One key new addition that **Endor Labs** spotted in this **Shai Hulud** variant is its ability to generate valid **Sigstore** provenance attestations by abusing OpenID Connect (OIDC) tokens from compromised CI environments and submitting them to Fulcio and Reko. A similar capability was observed in the payload delivered in the **TanStack** attack attributed to TeamPCP, when the threat actor published malicious package versions with verifiable Supply-chain Levels for Software Artifacts (SLSA) provenance attestation. As a result, malicious npm packages may appear legitimately signed and pass standard provenance verification checks despite containing credential-stealing malware. The self-propagation capability is present in this attack too. The malware validates stolen npm tokens, enumerates packages owned by the victim, downloads the tarballs, injects the malicious payload, and republishes infected packages with bumped version numbers. Given that **Shai Hulud's** code was recently leaked on **GitHub** by the TeamPCP threat group and has already been used in attacks, attribution of the new **Shai-Hulud** campaign is more difficult. ### Persistence via VS Code and Claude Code **Socket** says this variant differs technically from earlier Mini **Shai-Hulud** payloads but shares the same operational characteristics. “The AntV payloads differ from earlier Mini **Shai-Hulud** artifacts such as **TanStack’s** router_init.js and Intercom-related router_runtime.js payloads,” explains **Socket**. “The AntV sample uses a root-level index.js, a different primary C2 endpoint, and a smaller payload body. However, the core operational model is consistent.” **Aikido Security** confirms that while the core model is the same, there are some differences. The payload is now smaller, and there is persistence through backdoors planted in VS Code and Claude Code configurations. The researchers warn that this may indicate that "the attacker is thinking about what happens after the initial compromise gets cleaned up." The general recommendation for developers who downloaded any of the infected npm packages is to immediately remove or downgrade to a known good version published before May 18, and then revoke and rotate all exposed credentials (e.g., **GitHub**, cloud tokens, SSH keys). Reports on the attack from application security companies **Socket**, **Endor Labs**, **Aikido Security**, and **Step Security** include indicators of compromise along with detection, remediation, and mitigation advice that defenders can use to protect development environments. **[UPDATE: 10:31 EST]:** *Article updated with information from **Aikido Security** and **Microsoft**.* [The Validation Gap: Automated Pentesting Answers One Question. You Need Six.](https://hubs.li/Q048zztN0) Automated pentesting tools deliver real value, but they were built to answer one question: can an attacker move through the network? They were not built to test whether your controls block threats, your detection rules fire, or your cloud configs hold. This guide covers the 6 surfaces you actually need to validate. [Download Now](https://hubs.li/Q048zztN0)