{"id":251330,"date":"2026-05-20T11:00:00","date_gmt":"2026-05-20T15:00:00","guid":{"rendered":"https:\/\/news-you-need.com\/index.php\/2026\/05\/20\/mini-shai-hulud-hits-hundreds-of-npm-packages-in-antv-ecosystem\/"},"modified":"2026-05-21T09:00:22","modified_gmt":"2026-05-21T13:00:22","slug":"mini-shai-hulud-hits-hundreds-of-npm-packages-in-antv-ecosystem","status":"publish","type":"post","link":"https:\/\/news-you-need.com\/index.php\/2026\/05\/20\/mini-shai-hulud-hits-hundreds-of-npm-packages-in-antv-ecosystem\/","title":{"rendered":"Mini Shai-Hulud Hits Hundreds of npm Packages in AntV Ecosystem"},"content":{"rendered":"<p><a href=\"https:\/\/www.infosecurity-magazine.com\/news\/antv-npm-mini-shai-hulud-largest\/\">Mini Shai-Hulud Hits Hundreds of npm Packages in AntV Ecosystem<\/a><\/p>\n<p><a href=\"https:\/\/www.infosecurity-magazine.com\/news\/antv-npm-mini-shai-hulud-largest\/\">https:\/\/www.infosecurity-magazine.com\/news\/antv-npm-mini-shai-hulud-largest\/<\/a><\/p>\n<p>Publish Date: <a href=\"publish_date]\">2026-05-20 11:00:00<\/a><\/p>\n<p>Source Domain: <a href=\"www.infosecurity-magazine.com\">www.infosecurity-magazine.com<\/a><\/p>\n<p>The Mini Shai-Hulud worm has resurfaced in one of its largest single-registry waves to date, hitting hundreds of npm packages tied to the AntV data visualization ecosystem in a coordinated burst lasting around an hour.<\/p>\n<p>According to new analysis by Socket&#8217;s Threat Research Team, the attack began around 01:56 UTC on May 19 and pushed 639 malicious versions across 323 unique packages before stopping\u00a0roughly an hour later.<\/p>\n<p>Microsoft, which has previously published Defender protection guidance for the broader Mini Shai-Hulud campaign, has also provided updates from its own investigation into the new supply chain attack via\u00a0X\u00a0on Tuesday, May 19.<\/p>\n<p>Several affected packages are high-download npm dependencies, including echarts-for-react, size-sensor, @antv\/scale, and timeago.js, among others. The compromised npm maintainer account, \u201catool,\u201d held publish rights to more than 500 packages.<\/p>\n<h2><strong>Compromised Account, Familiar Playbook<\/strong><\/h2>\n<p>Each malicious version added a preinstall hook to package.json that executes a 498 KB obfuscated Bun bundle, harvesting cloud credentials, CI\/CD tokens, SSH keys, Kubernetes service account tokens and local password manager vaults.<\/p>\n<p>The payload exfiltrated stolen data through public GitHub repositories created using stolen tokens, named after Dune universe terminology with descriptions containing a reversed marker reading &#8220;Shai-Hulud: Here We Go Again.&#8221;<\/p>\n<p>Avital Harel, security research lead at Upwind, said the operation appeared mature and defender-aware, with attackers anticipating the tools used to detect and analyze malware.<\/p>\n<p>&#8220;The campaign was not only built to spread, but also to slow down analysis,&#8221; she explained.<\/p>\n<p>Read more on this campaign: Mini Shai-Hulud Hits TanStack npm Packages<\/p>\n<p>Socket described the tradecraft as consistent with a &#8220;high-volume npm compromise pattern involving coordinated malicious publishes.&#8221;<\/p>\n<p>Across all waves, the company has tracked 1055 compromised versions across 502 unique packages spanning npm, PyPI and&#8230;<\/p>\n<p><a href=\"https:\/\/www.infosecurity-magazine.com\/news\/antv-npm-mini-shai-hulud-largest\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Mini Shai-Hulud Hits Hundreds of npm Packages in AntV Ecosystem https:\/\/www.infosecurity-magazine.com\/news\/antv-npm-mini-shai-hulud-largest\/ Publish Date: 2026-05-20 11:00:00&#8230;<\/p>\n","protected":false},"author":1,"featured_media":251331,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/assets.infosecurity-magazine.com\/webpage\/og\/50d0af88-209c-409e-a19d-ae5242d16fdb.jpg","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[32],"class_list":["post-251330","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-malware"],"_links":{"self":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/251330"}],"collection":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=251330"}],"version-history":[{"count":1,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/251330\/revisions"}],"predecessor-version":[{"id":251332,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/251330\/revisions\/251332"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/251331"}],"wp:attachment":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=251330"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=251330"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=251330"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}