Supply Chain Attack on AntV: Inside the Latest npm Malware Campaign
Introduction
The npm ecosystem, the world's largest open-source package registry, has once again become the target of a sophisticated supply chain attack. This time, the focus is on AntV, a popular enterprise data visualization tool developed by Alibaba. The attack, which unfolded on May 19, marks the third major wave of npm malware in recent months, following incidents involving SAP packages and TanStack. Unlike the previous TanStack attack that exploited a complex GitHub Actions cache poisoning vulnerability, this campaign took a more traditional route: compromising the credentials of a high-privilege maintainer account.
The Compromised Account and Scale of Attack
According to cybersecurity firm SafeDep, the attack targeted the npm account belonging to atool (i@hust.cc), the maintainer of the timeago.js library. This account had maintainer rights to a significant catalog of packages, including widely used tools such as size-sensor (4.2 million monthly downloads), echarts-for-react (3.8 million), @antv/scale (2.2 million), and timeago.js itself (1.15 million).
Using these elevated privileges, the attacker published at least 637 malicious versions across 317 different npm packages in a single 22-minute burst. This rapid-fire deployment compromised a substantial portion of Alibaba's AntV namespace, a platform widely used in Asia, Europe, and the United States for building dashboards, user interfaces, and interactive applications. Aikido Security noted that each wave of attacks has been faster and broader than the previous one, signaling an alarming escalation in supply chain threats.
The Malware: Mini-Shai-Hulud Worm
Anyone unlucky enough to install one of the malicious packages would be infected by a potent worm known as Mini-Shai-Hulud. The source code for this malware was briefly released on GitHub, allowing other criminals to study and adapt it. Its primary purpose is to steal:
- npm and GitHub tokens
- Credentials from 130 file paths, including cloud platforms (AWS, Azure, GCP), Kubernetes, Docker, Hashicorp Vault, password managers, SSH keys, and Bitcoin wallets
For reasons not yet fully understood, the attackers then use stolen CI/CD tokens to store the exfiltrated data in public GitHub repositories themed after the science fiction novel Dune. Within hours of the attack, over 2,500 such repositories appeared. Each repository description contains the string “niagA oG eW ereH :duluH-iahS” — which is “Shai-Hulud: Here We Go Again” written backwards.
Persistence Mechanisms
The malware also attempts to maintain persistence by installing a Python-based backdoor at ~/.local/share/kitty/cat.py, although security company Wiz reports that this function is not yet active. More worryingly, the attackers from the TeamPCP group have designed the malware to modify Claude Code’s settings.json, allowing the malware to be stealthily reinstated with full LLM privileges even after the infected npm packages are removed. This demonstrates a high level of sophistication and ambition.
Responses and Next Steps
After the attack was detected, the AntV maintainers issued a warning on GitHub, advising users to audit their dependencies and revoke any compromised tokens. They also urged the community to enable two-factor authentication on npm accounts and to monitor for unusual activity.
Security researchers recommend the following steps for organizations using npm packages from the affected ecosystem:
- Immediately audit all packages that depend on @antv/*, timeago.js, size-sensor, and echarts-for-react.
- Rotate all secrets stored in environments where malicious packages were installed.
- Check for hidden repositories on GitHub that match the Dune theme (e.g., repository descriptions containing the backwards string).
- Update to the latest safe versions of affected packages as soon as they are released.
This incident underscores the fragility of the open-source supply chain. As npm continues to be a prime target for attackers, developers must adopt a security-first mindset, including regular audits, least-privilege access, and rapid incident response plans.
Conclusion
The AntV attack is the latest reminder that supply chain attacks are growing in speed and breadth. With the Mini-Shai-Hulud worm capable of stealing a wide range of credentials and even persisting via AI tool settings, the need for robust security measures has never been greater. Organizations should treat compromised npm credentials as a critical incident and act swiftly to limit damage.
For more information on protecting your npm supply chain, see our guide on understanding and mitigating malware like Mini-Shai-Hulud.
Related Articles
- Rust Project's GSoC 2026 Journey: Selected Projects and Insights
- Rust Project Secures 13 Google Summer of Code 2026 Slots Amid Surge in Proposals
- How GitHub Issues Navigation Went from Laggy to Instant: A Q&A
- Integrating AMD Instinct MI350P: A PCIe-Based Path to High-Performance AI Acceleration
- Meta Breaks Free from WebRTC 'Forking Trap' – 50+ Services Migrated to Modular Architecture
- GitHub Deploys eBPF to Shield Deployment Pipelines from Circular Dependencies
- How to Detect and Recover from a GitHub Actions Compromise Targeting PyPI Packages
- Google Transitions Nest Community to New System: User Accounts and Forum Data Face Permanent Deletion