An Active and sophisticated supply chain attack targeting the widely used @antv npm ecosystem, where a threat actor compromised a maintainer account and pushed malicious package updates designed to steal sensitive CI/CD credentials.
The campaign, dubbed “Mini Shai-Hulud,” demonstrates how deeply embedded open-source libraries can be weaponized to infiltrate modern development pipelines at scale.
The attack originated from unauthorized access to an @antv maintainer account, enabling the adversary to publish tampered versions of popular data visualization libraries such as G2 and G6.
Because these packages are deeply integrated into frontend and analytics applications, the compromise quickly spread downstream through dependency chains.
One notable affected package, echarts-for-react, sees over one million weekly downloads, significantly amplifying the reach of the attack across enterprise environments and cloud workloads.
Once installed, the malicious packages execute a concealed payload during the npm install process באמצעות a preinstall hook.
According to Microsoft, the campaign, dubbed “Mini Shai-Hulud,” demonstrates how deeply embedded open-source libraries can be weaponized to infiltrate modern development pipelines at scale.
The execution chain invokes node, then a shell, followed by the Bun runtime, which is installed automatically if not already present.
This leads to the deployment of a heavily obfuscated JavaScript payload approximately 499 KB in size, engineered to evade detection and analysis.
The malware employs multi-layered obfuscation techniques, including thousands of Base64-encoded strings and runtime decryption using a custom PBKDF2 and SHA-256-based cipher.
It also includes environment-aware logic, ensuring it only activates on GitHub Actions runners operating on Linux systems.
Additionally, it avoids execution on protected or commonly monitored branches such as main and master to reduce the likelihood of detection.
antv npm Packages
At its core, the payload is designed for large-scale credential harvesting across multiple platforms. It targets GitHub tokens, AWS credentials, HashiCorp Vault tokens, npm access tokens, Kubernetes secrets, and even 1Password data.
For example, in a compromised CI pipeline, the malware can extract a GitHub token from environment variables, validate it via the GitHub API, and then enumerate repository secrets for further exploitation.
One of the more advanced techniques observed is process memory scraping. The malware scans the Linux /proc filesystem to locate the GitHub Actions Runner.Worker process and extracts secrets directly from memory.
This approach bypasses traditional secret masking mechanisms, allowing attackers to recover sensitive values that would otherwise remain hidden in logs.
The payload also attempts privilege escalation by injecting a passwordless sudo rule and manipulating system configurations such as the /etc/hosts file for potential redirection attacks.
Stolen data is exfiltrated through multiple channels, including encrypted HTTPS communication with a command-and-control server and fallback mechanisms leveraging the GitHub Git Data API.
In some cases, attackers created thousands of public repositories under victim accounts with reversed text identifiers, signaling successful compromise.
To maintain persistence, the malware enumerates user repositories and organizations, spreads laterally, and deploys additional payloads.
It also forges SLSA provenance attestations using Sigstore infrastructure, undermining trust in software supply chain verification mechanisms.
Following disclosure, GitHub removed over 640 malicious packages and revoked more than 61,000 compromised npm tokens, particularly those with write access and weak authentication controls.
Security advisories were issued, and affected users were notified through Dependabot alerts and npm audit mechanisms.
Microsoft and GitHub recommend immediate mitigation steps, including auditing dependency trees, disabling install scripts, rotating all potentially exposed credentials, and reviewing CI/CD logs for anomalies.
Organizations are also urged to inspect GitHub accounts for suspicious repositories and validate build artifacts for signs of tampering.
This incident highlights the growing sophistication of supply chain attacks and the critical need for stricter controls around dependency management, credential handling, and CI/CD pipeline security.
Indicators of Compromise (IOC)
| Indicator | Type | Description |
| @antv – whole account | Package scope | All packages maintained by the antv account were compromised. As per the latest statement from the account author’s this situation is now resolved. |
| echarts-for-react | Package name | One of the major downstream packages impacted by the antv compromise. As per the latest statement from the repository author’s this situation is now resolved |
| a68dd1e6a6e35ec3771e1f94fe796f55dfe65a2b94560516ff4ac189390dfa1c | SHA-256 | Malicious payload JavaScript file |
| fb5c97557230a27460fdab01fafcfabeaa49590bafd5b6ef30501aa9e0a51142 | SHA-256 | Malicious backdoor Python script |
| t.m-kosche[.]com:443 | Domain | Infrastructure associated with campaign |
| Index.js | File name | Malicious script or dropped file |
| cat.py | File name | Malicious script or dropped file |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
