Listen to this Post

Introduction:
In the early hours of May 19, 2026, a massive supply chain attack hit the npm ecosystem. Attackers compromised the npm maintainer account “atool,” using it to publish 639 malicious versions across 323 unique packages, including `echarts-for-react` (1.1M weekly downloads). The injected malware steals CI/CD secrets, GitHub tokens, and cloud credentials—then autonomously spreads to other npm packages like a worm.
Learning Objectives:
- Understand how threat actors exploit a single compromised npm account to poison hundreds of packages
- Detect malicious `preinstall` hooks, obfuscated JavaScript payloads, and fallback exfiltration via GitHub
- Apply immediate incident response, credential rotation, and CI/CD hardening techniques
You Should Know:
1. Detect Malicious npm Packages with Static Analysis
Before installing any package, scan it for hidden `preinstall` hooks, obfuscated string arrays, and suspicious network endpoints. The Mini Shai-Hulud malware places its payload in a root `index.js` and modifies `package.json` to execute it during installation.
Step-by-step guide:
Extract package.json and inspect for "preinstall" or "postinstall" scripts npm pack @antv/g2 --dry-run --json | jq '.scripts' Or use a pre-installation scanner npx @socketsecurity/cli scan --package @antv/[email protected] Search for the known IoC domain (defanged) grep -r "t.m-kosche.com" node_modules/ || echo "No direct match" Scan for Sigstore abuse patterns (falco, fulcio, rekor) find . -name ".js" -exec grep -l "fulcio.sigstore.dev|rekor.sigstore.dev" {} \;
For Windows PowerShell:
Quick pre-install script check in manifest.json Get-Content package.json | Select-String "preinstall|postinstall"
2. Harden CI/CD Pipelines Against Worm-Like Propagation
The malware validates stolen npm tokens via the npm API, enumerates publishable packages, then injects and republishes malicious code. Blocking this behavior requires disabling lifecycle scripts at the CI level.
Step-by-step guide:
Enforce npm install without running preinstall hooks (CI only) export NPM_CONFIG_IGNORE_SCRIPTS=true npm ci --ignore-scripts Alternatively, use --no-optional --no-audit --no-fund npm install --ignore-scripts --no-audit Lock exact versions of all dependencies npm shrinkwrap Verify integrity with npm audit, but note: audit only flags known CVEs npm audit --production --json > audit_report.json If using GitHub Actions, add this step before any npm install - name: Block malicious packages run: | for pkg in @antv/g2 echarts-for-react size-sensor timeago.js; do if npm view $pkg version | grep -E "5.1.1[5-9]|5.1.2[0-9]"; then echo "Blocked $pkg version range" exit 1 fi done
3. Identify and Remove Compromised Packages Using IoCs
Security researchers have published concrete indicators for this campaign, including the primary C2 domain `t.m-kosche.com` and the reversed GitHub marker niagA oG eW ereH :duluH-iahS. You can scan your environment for these signs.
Step-by-step guide:
List all installed packages from @antv, echarts-for-react, etc.
npm ls --depth=0 | grep -E "@antv|echarts-for-react|timeago.js|size-sensor"
Check for specific malicious versions (May 19 automated burst)
for pkg in @antv/g2 echarts-for-react size-sensor; do
npm view $pkg time --json | jq -r '.[] | select(. | contains("2026-05-19"))'
done
Search for the GitHub exfiltration repository naming pattern
gh search repos "sayyadina-stillsuit|fremen-fedaykin|atreides-ornithopter" --limit 10
Look for the results/results-.json path pattern (fallback channel)
find /home /var/lib/jenkins /github/workspace -name "results-.json" 2>/dev/null
- Audit and Revoke Compromised Secrets Across All Platforms
The payload hunts for GITHUB_TOKEN, AWS_ACCESS_KEY_ID, KUBECONFIG, VAULT_TOKEN, and even Docker config files. If any environment where these packages were installed touched production, assume all secrets are compromised.
Step-by-step guide:
Revoke AWS credentials (Linux/Mac) aws iam list-access-keys aws iam delete-access-key --access-key-id AKIA... Rotate GitHub tokens via API gh api /user/personal-access-tokens --paginate | jq '.[].name' Revoke all tokens created before May 20, 2026 gh api -X DELETE /user/personal-access-tokens/TOKEN_ID For Kubernetes, force-rotate service account tokens kubectl rollout restart deployment --all kubectl delete secrets --all Scan for exposed secrets in Git history (using truffleHog) docker run -it --rm -v "$PWD:/pwd" trufflesecurity/trufflehog:latest filesystem /pwd
- Use Sigstore and SBOMs to Detect Tampered Packages
One of the cleverest aspects of this attack is the use of Sigstore (Fulcio, Rekor) to forge provenance badges. Attackers abused these transparency logs to make malicious packages appear legitimate. You should verify signatures before trusting a package.
Step-by-step guide:
Install Sigstore CLI brew install sigstore/tap/sigstore-go Verify a package's signature (if available) sigstore-go verify npm --package @antv/[email protected] Generate an SBOM and check for unknown components npx @cyclonedx/bom -o bom.xml Search the SBOM for @antv/ packages released on May 19 grep -B2 -A2 "2026-05-19" bom.xml For Windows (using PowerShell and Sigstore) Invoke-WebRequest -Uri "https://rekor.sigstore.dev/api/v1/log/entries" -UseBasicParsing
- Implement a Package Allow-List and Block New Versions
Because the attack published 639 versions in just 22 minutes, the blast radius is huge. The safest short-term action is to pin all npm dependencies to known-good versions released before May 19, 2026.
Step-by-step guide:
Example: .npmrc to block all packages from @antv namespace
@antv:registry=https://registry.npmjs.org/
Force exact versions (no ^ or ~)
save-exact=true
In package.json, pin specific versions
"dependencies": {
"@antv/g2": "5.1.14",
"echarts-for-react": "3.0.2"
}
Block entire namespaces using a .npmrc override (Windows/Linux)
echo "@antv:registry=https://localhost:4040" >> .npmrc
echo "@antv:always-auth=false" >> .npmrc
7. Monitor Network Traffic for Encrypted Exfiltration Patterns
The malware uses AES-256-GCM encryption wrapped with RSA-OAEP before sending data to t.m-kosche.com. While the payload is encrypted, the destination domain and port (:443) are clear-text and can be blocked.
Step-by-step guide:
Block the C2 domain at the DNS level (Linux - /etc/hosts) echo "0.0.0.0 t.m-kosche.com" >> /etc/hosts Windows (C:\Windows\System32\drivers\etc\hosts) Add-Content -Path "C:\Windows\System32\drivers\etc\hosts" -Value "0.0.0.0 t.m-kosche.com" Use tcpdump to detect unexpected outbound traffic to that domain sudo tcpdump -i eth0 -n "host t.m-kosche.com" -c 100 For egress filtering in CI (script step) if nslookup t.m-kosche.com | grep -q "Address:"; then echo "C2 domain reachable - blocking" exit 1 fi
What Undercode Say:
- Key Takeaway 1: Single compromised maintainer account can poison hundreds of packages within minutes. This attack proves that npm’s 2FA adoption is still insufficient—@atool apparently lacked hardware-based MFA.
- Key Takeaway 2: Sigstore is being weaponized. Attackers are now abusing transparency logs to fake provenance badges. In 2026, you cannot trust a package just because it has a Sigstore signature; you must verify its creation time and publisher identity.
Expected Output:
Your incident response playbook must now include runtime detection (eBPF/ETW hooks) that block `preinstall` scripts from reading `~/.aws` or ~/.kube/config. The days of relying solely on `npm audit` are over; you need layered controls: ignore-scripts in CI, mandatory SBOM signing, and automated rollback of any dependency published within the last 48 hours.
Prediction:
The Mini Shai-Hulud campaign will trigger a fundamental shift in package management: by 2027, we will see corporate npm mirrors that refuse packages younger than 24 hours unless explicitly signed by a verified team key. Attackers will move to compromising those signing keys, leading to a new wave of “trusted but malicious” artifacts. The only sustainable defense is to treat every third-party package as hostile until proven otherwise—and to push for legislation that holds package registry operators liable for distribution of malware.
▶️ Related Video (80% Match):
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Cybersecuritynews Share – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


