New Shai-Hulud malware wave compromises 600 npm packages
by Bill Toulas · BleepingComputerThreat actors earlier today published more than 600 malicious packages to the Node Package Manager (npm) index as part of a new Shai-Hulud supply-chain campaign.
Most of the affected packages are in the @antv ecosystem, which include libraries for charting, graph visualization, building flowcharts, and mapping. However, popular packages outside this namespace have also been compromised.
As in the previous Shai-Hulud campaign impacting TanStack and Mistral packages, the payload collects secrets from developer and CI/CD environments and exfiltrates them over the Session P2P network to complicate detection and takedown efforts.
The threat actor also used GitHub as a fallback exfiltration mechanism and published stolen data in repositories under victims' accounts, when tokens used for publishing were found.
According to application security company Socket, the hackers published 639 malicious versions across 323 unique packages in about one hour on May 19, between 01:56 UTC and 02:56 UTC.
The attack started with compromising the npm account atool, which publishes the packages in the @antv namespace. Some of the impacted libraries include:
- echarts-for-react
- @antv/g2
- @antv/g6
- @antv/x6
- @antv/l7
- @antv/g2plot
- @antv/graphin
- timeago.js
- size-sensor
- canvas-nest.js
Packages in the @antv namespace are published from the , which has been compromised
Endor Labs researchers highlight that some of the packages (e.g., timeago.js, size-sensor, and jest-canvas-mock) had not received a legitimate update for a long time and were less likely to have their OIDC trusted publishing security feature configured.
For instance, although the jest-canvas-mock still has10 million monthly downloads, it has been dormant for about 3 years.
Socket researchers maintain a list of package artifacts affected by all Shai-Hulud attack, which has grown to more than 1,000 entries.
The Shai-Hulud campaigns started last September and continue to affect multiple software ecosystems, such as npm, PyPI, and Composer to a lesser degree.
The malware compromises maintainer accounts or publishing tokens to push legitimate packages with malicious code that steals developer and CI/CD secrets, and can spread to other projects using the stolen credentials.
The latest wave involves the injection of a heavily obfuscated ‘index.js’ payload that attempts to steal GitHub, npm, cloud, Kubernetes, Vault, Docker, database, and SSH credentials.
It primarily targets developer workstations and CI/CD environments, including GitHub Actions, GitLab CI, Jenkins, Azure DevOps, CircleCI, Vercel, Netlify, and other build platforms.
The stolen data is serialized, Gzip-compressed, AES-256-GCM-encrypted, and RSA-OAEP-wrapped to make network inspection harder.
When GitHub credentials are available, the malware uses the GitHub API to automatically create new repositories under the victim’s account and upload the stolen data to them.
Repos published as a result of this attack have a Readme file with the string niaga og ew ereh :duluh-iahs, which is the reverse for Shai-Hulud: Here We Go Again, a phrase used in the Shai-Hulud malware leak last week.
A report from software security platform Aikido notes that there are more than 2,700 rogue repositories on GitHub matching the campaign’s markers.
A search before publishing this article shows that there are currently at least 2,900 GitHub repositories generated by the latest Shai-Hulud supply-chain campaign.
Source: BleepingComputer
The main exfiltration channel, though, is to filev2.getsession[.]org/file/ via the Session P2P network. Microsoft also shared the t.m-kosche.com endpoint for shipping the stolen credentials.
"On the wire this is end-to-end-encrypted traffic on TCP/443, indistinguishable from legitimate Session app traffic at the network layer. There is no traditional C2 [command-and-control] endpoint to block by hostname or IP," Endor Labs researchers say.
One key new addition that Endor Labs spotted in this Shai Hulud variant is its ability to generate valid Sigstore provenance attestations by abusing OpenID Connect (OIDC) tokens from compromised CI environments and submitting them to Fulcio and Reko.
A similar capability was observed in the payload delivered in the TanStack attack attributed to TeamPCP, when the threat actor published malicious package versions with verifiable Supply-chain Levels for Software Artifacts (SLSA) provenance attestation.
As a result, malicious npm packages may appear legitimately signed and pass standard provenance verification checks despite containing credential-stealing malware.
The self-propagation capability is present in this attack too. The malware validates stolen npm tokens, enumerates packages owned by the victim, downloads the tarballs, injects the malicious payload, and republishes infected packages with bumped version numbers.
Given that Shai Hulud's code was recently leaked on GitHub by the TeamPCP threat group, and has already been used in attacks, attribution of the new Shai-Hulud campaign is more difficult.
Socket says this variant differs technically from earlier Mini Shai-Hulud payloads but shares the same operational characteristics.
“The AntV payloads differ from earlier Mini Shai-Hulud artifacts such as TanStack’s router_init.js and Intercom-related router_runtime.js payloads,” explains Socket.
“The AntV sample uses a root-level index.js, a different primary C2 endpoint, and a smaller payload body. However, the core operational model is consistent.”
Aikido Security confirms that while the core model is the same, there are some differences. The payload is now smaller and there is persistence through backdoors planted in in VS Code and Claude Code configurations.
The researchers warn that this may indicate that "the attacker is thinking about what happens after the initial compromise gets cleaned up."
The general recommendation for developers who downloaded any of the infected npm packages is to immediately remove or downgrade to a known good version published before May 18, and then revoke and rotate all exposed credentials (e.g., GitHub, cloud tokens, SSH keys).
Reports on the attack from application security companies Socket, Endor Labs, Aikido Security, and Step Security include indicators of compromise along with detection, remediation, and mitigation advice that defenders can use to protect development envvironments.
[UPDATE: 10:31 EST]: Article updated with information from Aikido Security and Microsoft.
The Validation Gap: Automated Pentesting Answers One Question. You Need Six.
Automated pentesting tools deliver real value, but they were built to answer one question: can an attacker move through the network? They were not built to test whether your controls block threats, your detection rules fire, or your cloud configs hold.
This guide covers the 6 surfaces you actually need to validate.