Mini Shai-Hulud malware infecting AntV npm packages via compromised maintainer accounts, stealing credentials and exploiting CI/CD pipelines

Cybersecurity researchers uncovered a Mini Shai-Hulud supply chain attack targeting the npm ecosystem. Attackers compromised maintainer accounts to push malicious versions of over 300 packages, including widely used @antv libraries like echarts-for-react, @antv/g2, @antv/g6, and others.

Mini Shai-Hulud malware infecting AntV npm packages via compromised maintainer accounts, stealing credentials and exploiting CI/CD pipelinesMini Shai-Hulud malware infecting AntV npm packages via compromised maintainer accounts, stealing credentials and exploiting CI/CD pipelines

The malware harvests credentials for cloud services, GitHub, SSH, Docker, and more, then exfiltrates data while establishing persistence through preinstall hooks and CI/CD abuse. The campaign leverages Sigstore attestation forgery and OIDC token misuse to make malicious releases appear legitimate, amplifying the risk to organizations that auto-update dependencies.

This attack highlights the growing threat of npm supply chain malware, emphasizing the need for credential rotation, two-factor authentication, auditing GitHub accounts, and upgrading to safe package versions to protect sensitive data and enterprise environments.


NPAV offers a robust solution to combat cyber fraud. Protect yourself with our top-tier security product, Z Plus Security