{"id":249127,"date":"2026-05-19T00:54:00","date_gmt":"2026-05-19T04:54:00","guid":{"rendered":"https:\/\/news-you-need.com\/index.php\/2026\/05\/19\/mini-shai-hulud-pushes-malicious-antv-npm-packages-via-compromised-maintainer-account\/"},"modified":"2026-05-19T04:20:13","modified_gmt":"2026-05-19T08:20:13","slug":"mini-shai-hulud-pushes-malicious-antv-npm-packages-via-compromised-maintainer-account","status":"publish","type":"post","link":"https:\/\/news-you-need.com\/index.php\/2026\/05\/19\/mini-shai-hulud-pushes-malicious-antv-npm-packages-via-compromised-maintainer-account\/","title":{"rendered":"Mini Shai-Hulud Pushes Malicious AntV npm Packages via Compromised Maintainer Account"},"content":{"rendered":"<p><a href=\"https:\/\/thehackernews.com\/2026\/05\/mini-shai-hulud-pushes-malicious-antv.html\">Mini Shai-Hulud Pushes Malicious AntV npm Packages via Compromised Maintainer Account<\/a><\/p>\n<p><a href=\"https:\/\/thehackernews.com\/2026\/05\/mini-shai-hulud-pushes-malicious-antv.html\">https:\/\/thehackernews.com\/2026\/05\/mini-shai-hulud-pushes-malicious-antv.html<\/a><\/p>\n<p>Publish Date: <a href=\"publish_date]\">2026-05-19 00:54:00<\/a><\/p>\n<p>Source Domain: <a href=\"thehackernews.com\">thehackernews.com<\/a><\/p>\n<p>Cybersecurity researchers have discovered a fresh software supply chain attack campaign that has compromised various npm packages associated with the @antv ecosystem as part of the ongoing Mini Shai-Hulud attack wave.<\/p>\n<p>&#8220;The attack affects packages tied to the npm maintainer account atool, including echarts-for-react, a widely used React wrapper for Apache ECharts with roughly 1.1 million weekly downloads,&#8221; Socket said.<\/p>\n<p>The list of affected packages include @antv packages such as @antv\/g2, @antv\/g6, @antv\/x6, @antv\/l7, @antv\/s2, @antv\/f2, @antv\/g, @antv\/g2plot, @antv\/graphin, and @antv\/data-set, as well as related packages outside the @antv namespace, including echarts-for-react, timeago.js, size-sensor, canvas-nest.js, and others.<\/p>\n<p>The application security company said the tradecraft matches Mini Shai-Hulud, where a compromised maintainer account is leveraged to push out trojanized versions in quick succession.<\/p>\n<p>The development comes as the supply chain attack campaign continues to slither its way through the software supply chain, worming through different open-source registries rapidly and infecting hundreds of software packages by embedding credential-stealing code into popular development tools.<\/p>\n<p>&#8220;The potential blast radius is significant because the affected publishing account is connected to widely used packages across data visualization, graphing, mapping, charting, and React component ecosystems,&#8221; Socket said. &#8220;Even if only a subset of those packages received malicious updates, the popularity of the package ecosystem creates meaningful downstream exposure for organizations that automatically pull new dependency versions.&#8221;<\/p>\n<p>The attacker is said to have published 639 malicious versions across 323 unique packages, including 558 versions across 279 unique @antv packages. The stealer payload harvests more than 20 credential types, Amazon Web Services, Google Cloud, Microsoft Azure, GitHub, npm, SSH, Kubernetes, Vault, Stripe, database connection strings,&#8230;<\/p>\n<p><a href=\"https:\/\/thehackernews.com\/2026\/05\/mini-shai-hulud-pushes-malicious-antv.html\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Mini Shai-Hulud Pushes Malicious AntV npm Packages via Compromised Maintainer Account https:\/\/thehackernews.com\/2026\/05\/mini-shai-hulud-pushes-malicious-antv.html Publish Date: 2026-05-19&#8230;<\/p>\n","protected":false},"author":1,"featured_media":249129,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjpyJDg_FqUDfeOeVX8IyhBHj9HqwkGZ-hV7b998CMLiBK2uPpmuQEN1cv1xYXJzRiznN6u_oXjA0lAGWgrkUH9EqaqfOFyW85ZQiz_Cr2YrHl1uxUHqEztt_iWG1LtRfNMpYTIqhS8vKTUOdZiNAf_r_g0r7LzqsvjmCmsr7_lv9jmXvHs5s76BEQCMnql\/s16000\/npm-malware.jpg","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[24,32],"class_list":["post-249127","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-cybersecurity","tag-malware"],"_links":{"self":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/249127"}],"collection":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=249127"}],"version-history":[{"count":1,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/249127\/revisions"}],"predecessor-version":[{"id":249130,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/249127\/revisions\/249130"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/249129"}],"wp:attachment":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=249127"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=249127"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=249127"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}