Hackers Hijack @antv npm Packages – Mini Shai-Hulud Supply Chain Attack Strikes 639 Versions + Video

Listen to this Post

Featured Image

Introduction:

In the early hours of May 19, 2026, a massive supply chain attack hit the npm ecosystem. Attackers compromised the npm maintainer account “atool,” using it to publish 639 malicious versions across 323 unique packages, including `echarts-for-react` (1.1M weekly downloads). The injected malware steals CI/CD secrets, GitHub tokens, and cloud credentials—then autonomously spreads to other npm packages like a worm.

Learning Objectives:

  • Understand how threat actors exploit a single compromised npm account to poison hundreds of packages
  • Detect malicious `preinstall` hooks, obfuscated JavaScript payloads, and fallback exfiltration via GitHub
  • Apply immediate incident response, credential rotation, and CI/CD hardening techniques

You Should Know:

1. Detect Malicious npm Packages with Static Analysis

Before installing any package, scan it for hidden `preinstall` hooks, obfuscated string arrays, and suspicious network endpoints. The Mini Shai-Hulud malware places its payload in a root `index.js` and modifies `package.json` to execute it during installation.

Step-by-step guide:

 Extract package.json and inspect for "preinstall" or "postinstall" scripts
npm pack @antv/g2 --dry-run --json | jq '.scripts'
 Or use a pre-installation scanner
npx @socketsecurity/cli scan --package @antv/[email protected]

Search for the known IoC domain (defanged)
grep -r "t.m-kosche.com" node_modules/ || echo "No direct match"

Scan for Sigstore abuse patterns (falco, fulcio, rekor)
find . -name ".js" -exec grep -l "fulcio.sigstore.dev|rekor.sigstore.dev" {} \;

For Windows PowerShell:

 Quick pre-install script check in manifest.json
Get-Content package.json | Select-String "preinstall|postinstall"

2. Harden CI/CD Pipelines Against Worm-Like Propagation

The malware validates stolen npm tokens via the npm API, enumerates publishable packages, then injects and republishes malicious code. Blocking this behavior requires disabling lifecycle scripts at the CI level.

Step-by-step guide:

 Enforce npm install without running preinstall hooks (CI only)
export NPM_CONFIG_IGNORE_SCRIPTS=true
npm ci --ignore-scripts
 Alternatively, use --no-optional --no-audit --no-fund
npm install --ignore-scripts --no-audit

Lock exact versions of all dependencies
npm shrinkwrap
 Verify integrity with npm audit, but note: audit only flags known CVEs
npm audit --production --json > audit_report.json

If using GitHub Actions, add this step before any npm install
- name: Block malicious packages
run: |
for pkg in @antv/g2 echarts-for-react size-sensor timeago.js; do
if npm view $pkg version | grep -E "5.1.1[5-9]|5.1.2[0-9]"; then
echo "Blocked $pkg version range"
exit 1
fi
done

3. Identify and Remove Compromised Packages Using IoCs

Security researchers have published concrete indicators for this campaign, including the primary C2 domain `t.m-kosche.com` and the reversed GitHub marker niagA oG eW ereH :duluH-iahS. You can scan your environment for these signs.

Step-by-step guide:

 List all installed packages from @antv, echarts-for-react, etc.
npm ls --depth=0 | grep -E "@antv|echarts-for-react|timeago.js|size-sensor"

Check for specific malicious versions (May 19 automated burst)
for pkg in @antv/g2 echarts-for-react size-sensor; do
npm view $pkg time --json | jq -r '.[] | select(. | contains("2026-05-19"))'
done

Search for the GitHub exfiltration repository naming pattern
gh search repos "sayyadina-stillsuit|fremen-fedaykin|atreides-ornithopter" --limit 10

Look for the results/results-.json path pattern (fallback channel)
find /home /var/lib/jenkins /github/workspace -name "results-.json" 2>/dev/null
  1. Audit and Revoke Compromised Secrets Across All Platforms

The payload hunts for GITHUB_TOKEN, AWS_ACCESS_KEY_ID, KUBECONFIG, VAULT_TOKEN, and even Docker config files. If any environment where these packages were installed touched production, assume all secrets are compromised.

Step-by-step guide:

 Revoke AWS credentials (Linux/Mac)
aws iam list-access-keys
aws iam delete-access-key --access-key-id AKIA...

Rotate GitHub tokens via API
gh api /user/personal-access-tokens --paginate | jq '.[].name'
 Revoke all tokens created before May 20, 2026
gh api -X DELETE /user/personal-access-tokens/TOKEN_ID

For Kubernetes, force-rotate service account tokens
kubectl rollout restart deployment --all
kubectl delete secrets --all

Scan for exposed secrets in Git history (using truffleHog)
docker run -it --rm -v "$PWD:/pwd" trufflesecurity/trufflehog:latest filesystem /pwd
  1. Use Sigstore and SBOMs to Detect Tampered Packages

One of the cleverest aspects of this attack is the use of Sigstore (Fulcio, Rekor) to forge provenance badges. Attackers abused these transparency logs to make malicious packages appear legitimate. You should verify signatures before trusting a package.

Step-by-step guide:

 Install Sigstore CLI
brew install sigstore/tap/sigstore-go
 Verify a package's signature (if available)
sigstore-go verify npm --package @antv/[email protected]

Generate an SBOM and check for unknown components
npx @cyclonedx/bom -o bom.xml
 Search the SBOM for @antv/ packages released on May 19
grep -B2 -A2 "2026-05-19" bom.xml

For Windows (using PowerShell and Sigstore)
Invoke-WebRequest -Uri "https://rekor.sigstore.dev/api/v1/log/entries" -UseBasicParsing
  1. Implement a Package Allow-List and Block New Versions

Because the attack published 639 versions in just 22 minutes, the blast radius is huge. The safest short-term action is to pin all npm dependencies to known-good versions released before May 19, 2026.

Step-by-step guide:

 Example: .npmrc to block all packages from @antv namespace
@antv:registry=https://registry.npmjs.org/
 Force exact versions (no ^ or ~)
save-exact=true

In package.json, pin specific versions
"dependencies": {
"@antv/g2": "5.1.14",
"echarts-for-react": "3.0.2"
}

Block entire namespaces using a .npmrc override (Windows/Linux)
echo "@antv:registry=https://localhost:4040" >> .npmrc
echo "@antv:always-auth=false" >> .npmrc

7. Monitor Network Traffic for Encrypted Exfiltration Patterns

The malware uses AES-256-GCM encryption wrapped with RSA-OAEP before sending data to t.m-kosche.com. While the payload is encrypted, the destination domain and port (:443) are clear-text and can be blocked.

Step-by-step guide:

 Block the C2 domain at the DNS level (Linux - /etc/hosts)
echo "0.0.0.0 t.m-kosche.com" >> /etc/hosts
 Windows (C:\Windows\System32\drivers\etc\hosts)
Add-Content -Path "C:\Windows\System32\drivers\etc\hosts" -Value "0.0.0.0 t.m-kosche.com"

Use tcpdump to detect unexpected outbound traffic to that domain
sudo tcpdump -i eth0 -n "host t.m-kosche.com" -c 100

For egress filtering in CI (script step)
if nslookup t.m-kosche.com | grep -q "Address:"; then
echo "C2 domain reachable - blocking"
exit 1
fi

What Undercode Say:

  • Key Takeaway 1: Single compromised maintainer account can poison hundreds of packages within minutes. This attack proves that npm’s 2FA adoption is still insufficient—@atool apparently lacked hardware-based MFA.
  • Key Takeaway 2: Sigstore is being weaponized. Attackers are now abusing transparency logs to fake provenance badges. In 2026, you cannot trust a package just because it has a Sigstore signature; you must verify its creation time and publisher identity.

Expected Output:

Your incident response playbook must now include runtime detection (eBPF/ETW hooks) that block `preinstall` scripts from reading `~/.aws` or ~/.kube/config. The days of relying solely on `npm audit` are over; you need layered controls: ignore-scripts in CI, mandatory SBOM signing, and automated rollback of any dependency published within the last 48 hours.

Prediction:

The Mini Shai-Hulud campaign will trigger a fundamental shift in package management: by 2027, we will see corporate npm mirrors that refuse packages younger than 24 hours unless explicitly signed by a verified team key. Attackers will move to compromising those signing keys, leading to a new wave of “trusted but malicious” artifacts. The only sustainable defense is to treat every third-party package as hostile until proven otherwise—and to push for legislation that holds package registry operators liable for distribution of malware.

▶️ Related Video (80% Match):

🎯Let’s Practice For Free:

IT/Security Reporter URL:

Reported By: Cybersecuritynews Share – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky