Over 320 NPM packages were compromised in a fresh Mini Shai-Hulud attack that began deploying malicious code as of May 20, 2026. The campaign, which also infiltrated PyPI and Composer ecosystems, exploited the @antv namespace and the popular timeago.js package—used in 1.5 million weekly downloads—to trigger a multi-stage infection chain targeting developer environments at scale.
Key Takeaways
- More than 320 NPM packages were compromised, with 639 malicious versions published across critical visualization and React tooling.
- The attacker exploited the @antv namespace, including the widely used timeago.js and echarts-for-react, to inject obfuscated payloads during install.
- Malicious code extracts CI/CD secrets in plaintext by reading GitHub Actions runner memory, harvesting credentials from over 130 file paths tied to cloud providers and developer tools.
- Data is exfiltrated through GitHub repositories and a fallback server, consistent with known tactics used by TeamPCP.
- For the first time, the malware downloaded and executed Python code, giving attackers persistent remote execution capabilities.
Historical Context: The Evolution of Mini Shai-Hulud
Mini Shai-Hulud first emerged in late 2023 as a low-volume but precise supply chain operation. Initial campaigns focused on niche data visualization libraries under the @antv umbrella—packages like G2 and G6—that, while not massive in download volume, were trusted by enterprise engineering teams for dashboards and analytics. At the time, fewer than 20 packages were affected, and the malicious behavior was limited to environment scanning and beaconing to a C2 server.
The 2024 wave marked a shift. Attackers began using preinstall scripts to harvest environment variables and exfiltrate SSH keys stored in default locations. That iteration compromised 87 packages and led to breaches at two fintech startups using echarts-for-react in internal admin panels. GitHub revoked compromised tokens and issued a security advisory, but no public attribution followed.
In 2025, the campaign went dormant for six months before resurfacing with a new tactic: dependency confusion. Malicious packages mimicked internal library names—like @company/ui-core—and relied on misconfigured CI pipelines to pull them from public registries instead of private ones. That attack remained small, with only 12 packages uploaded, but it demonstrated strategic patience and adaptability.
Now, in 2026, Mini Shai-Hulud has evolved into a self-replicating, cross-platform threat. It no longer depends on misconfiguration or social engineering. It hijacks legitimate publishing workflows, spreads laterally at machine speed, and now executes code in multiple runtimes. The jump from JavaScript-only payloads to Python execution marks a qualitative shift—this is no longer just a dependency hijack. It’s a platform-level compromise.
Mini Shai-Hulud Attack Expands Scope
What started as a targeted compromise of the NPM maintainer account ‘atool’ spiraled into one of the most widespread supply chain intrusions this year. Socket researchers confirmed that the campaign has now produced 1,055 malicious package versions across 502 unique packages. Of those, 1,048 versions are in NPM—accounting for 99% of the activity—with smaller but notable breaches in PyPI and Composer.
This isn’t the first time the Mini Shai-Hulud campaign has surfaced. But unlike prior iterations, this wave demonstrates a clear evolution: broader targeting, deeper persistence mechanisms, and new capabilities like remote Python execution. It’s not just about stealth anymore—it’s about staying put and expanding access.
Microsoft flagged the severity on May 20, 2026, noting that packages like echarts-for-react (~1.1 million weekly downloads) were impacted, amplifying the blast radius into production CI/CD pipelines. That’s critical because it means builds weren’t just poisoned—they were actively monitored, with secrets harvested in real time.
How the Infection Chain Works
Every compromised package includes an install-time payload. When developers run npm install, the script executes silently, bypassing most preinstall warnings because it’s embedded under legitimate-looking logic. The payload is heavily obfuscated, making static analysis difficult without decompilation.
Once active, it performs three main functions:
- Reads memory from GitHub Actions runner processes to extract masked CI/CD secrets in plaintext—a technique that turns GitHub’s own security model against itself.
- Scans over 130 predefined file paths on the host system, targeting credentials for AWS, GCP, Azure, Kubernetes, HashiCorp Vault, cryptocurrency wallets, and common developer tools like.env files and SSH keys.
- Exfiltrates stolen data through two channels: one embedded in GitHub repositories controlled by the attacker, and another via a fallback command-and-control server—ensuring redundancy if one path fails.
And that’s just phase one.
NPM Registry Abuse Enables Lateral Spread
The attackers didn’t stop at theft. They built in logic to hijack the entire NPM publishing workflow. According to Socket, the malware can validate npm tokens using official registry APIs, enumerate all packages the compromised maintainer can publish to, download the original tarball, inject the malicious payload, add a preinstall hook, bump the version number, and republish under the maintainer’s name—all automatically.
This self-propagating behavior is what turned a single account breach into a 498-package wildfire. It’s not just a backdoor—it’s a worm.
Because the publishing process uses legitimate credentials and follows standard NPM workflows, most automated security scanners won’t flag it. There’s no suspicious IP, no unknown binary—it’s just another package update. That’s why so many teams didn’t notice until StepSecurity identified over 2,200 GitHub repositories already leaking data.
Python Execution Adds New Threat Layer
Previously, Mini Shai-Hulud payloads were limited to JavaScript and shell scripts. But in this campaign, Wiz observed something new: the malware now downloads and executes Python code from attacker-controlled infrastructure.
That’s significant. It means the attackers aren’t just stealing credentials—they’re running arbitrary code on compromised systems. This gives them the ability to pivot laterally, deploy additional tooling, or even maintain access after the initial package is removed.
Microsoft’s Durabletask Python SDK was hit in this wave, with three malicious versions uploaded to PyPI within a 35-minute window. The speed suggests automation—likely the same registry abuse logic ported to Python’s ecosystem. It didn’t gain the same traction as the NPM packages, but it confirms the attackers are diversifying.
GitHub Actions and VS Code Extensions Also Compromised
The campaign didn’t limit itself to package managers. A fresh compromise of the widely used GitHub Action actions-cool/issues-helper has been linked to this attack by Wiz. That action is used in thousands of repositories to auto-label and triage issues—meaning any workflow that includes it now runs untrusted code during CI.
Even more concerning: StepSecurity found the payload dropping persistent backdoors into Claude Code, Anthropic’s AI-powered development environment. While details are sparse, this suggests the attackers are specifically targeting AI-assisted coding tools—possibly to manipulate generated code or intercept prompts containing secrets.
If confirmed, that would represent a strategic shift: from exploiting trust in open source maintainers to exploiting trust in AI tooling itself.
What This Means For You
If you’re using any package in the @antv namespace—especially timeago.js, G2Plot, or echarts-for-react—you need to audit your systems immediately. Regenerate all CI/CD secrets, rotate cloud credentials, and check your GitHub Actions logs for unauthorized access. Assume compromise if you pulled a package between May 18 and May 20, 2026.
More broadly, this attack proves that traditional dependency scanning isn’t enough. You can’t just check for known vulnerabilities in package-lock.json. You have to monitor behavior: what does a package do at install time? Does it spawn network calls? Access sensitive files? Read process memory? Tools like Socket and StepSecurity exist for this reason—they catch what SCA tools miss.
And if you’re maintaining an open source project, this should scare you. One compromised account, one weak 2FA setup, and your entire ecosystem becomes a delivery mechanism for malware. That’s why automated publishing workflows need tighter controls—like requiring manual approval for version bumps, or limiting token scopes to read-only in CI.
Consider a startup founder using timeago.js in their admin dashboard. They pull the latest version during deployment, unknowingly installing the malicious preinstall script. Within minutes, their GitHub Actions runner leaks AWS keys. The attacker spins up EC2 instances, deploys cryptominers, and erases logs. The breach isn’t detected for 11 days—long enough to cost tens of thousands in cloud overages.
Or imagine a mid-sized SaaS company with strict security policies but a single engineer who uses a personal NPM token in a side project. That token had publish access to a public library. Once compromised, the malware used it to publish 17 malicious versions across unrelated packages. The company’s internal audit logs show no anomalies—but their clients start reporting suspicious API calls from unexpected regions.
Now picture an enterprise DevOps team relying on echarts-for-react for internal reporting tools. Their CI pipeline pulls dependencies automatically. The malicious package runs in a privileged runner, extracts HashiCorp Vault tokens, and exfiltrates them via a GitHub gist. The attacker decrypts secrets, accesses staging databases, and plants backdoors in configuration files. The breach looks like a rogue employee—until forensic analysis traces the initial infection to a preinstall hook.
What Happens Next
The immediate cleanup is underway. GitHub has suspended the affected @antv accounts and revoked API tokens. NPM has pulled all 1,048 malicious versions, and PyPI has removed the compromised Durabletask SDK releases. But removal doesn’t erase what’s already been installed.
The bigger question is how long the malware remained undetected. The infection window—May 18 to May 20—was short, but the damage is likely lasting. Teams may have rebuilt systems using poisoned base images or restored from compromised backups. Some organizations won’t discover the breach until they see unusual cloud charges or failed compliance audits.
Another unknown: what happens to the data already stolen? The 130 file paths targeted include cryptocurrency wallets and SSH keys. If attackers accessed blockchain wallets with active balances, those funds may already be gone. There’s no recovery path.
And what about the AI tooling angle? If Claude Code environments were indeed compromised, the implications go beyond credential theft. Could attackers manipulate AI-generated code to introduce new vulnerabilities? Could they train models on stolen proprietary logic? These aren’t hypotheticals—they’re attack vectors now in play.
Last, there’s the human factor. The original breach likely started with a phishing attempt or a reused password. How many other maintainer accounts are similarly exposed? The @antv namespace is just one target. React, Vue, and other ecosystems rely on a handful of trusted developers. One weak link, and the chain breaks.
The attack may be contained, but the model it demonstrates—automated, cross-platform, self-propagating supply chain corruption—is here to stay.
Sources: SecurityWeek, original report
