Editorial

Shai-Hulud Returns: 600 npm Packages Compromised, @antv Ecosystem Hit

RobertUpdated May 20, 20264 min read
Dark terminal-style feature image. White text reads: Third wave. Same bypass. 600 packages. Below it: @antv in teal monospace. Attestd branding bottom left.

Shai-Hulud Returns: 600 npm Packages Compromised, @antv Ecosystem Hit#

A new Shai-Hulud wave hit npm this morning. 639 malicious versions across 323 unique packages were published in approximately one hour. The primary target is the @antv ecosystem, a suite of charting, graph visualization, and mapping libraries used across JavaScript applications. Popular packages outside that namespace were also hit.

Attestd's monitoring pipeline auto-qualified 11 @antv packages during the active attack window based on OSV advisories published as the campaign unfolded. Packages added include @antv/component (368.7k/week), @antv/algorithm (199.5k/week), @antv/attr (170.2k/week), @antv/coord (271k/week), @antv/dom-util (147.3k/week), @antv/adjust (144k/week), @antv/x6 (132.5k/week), @antv/color-util (110.1k/week), @antv/data-set (77.3k/week), @antv/async-hook (49.3k/week), and @antv/x6-geometry (12.8k/week). 331 packages were evaluated and skipped for falling below the download threshold.

This is the third Shai-Hulud wave since May 11.

What was compromised#

Affected packages span the @antv namespace and several popular packages outside it. Per Socket's research:

echarts-for-react, @antv/g2, @antv/g6, @antv/x6, @antv/l7, @antv/g2plot, @antv/graphin, timeago.js, size-sensor, canvas-nest.js

639 malicious versions across 323 unique packages. The total Shai-Hulud artifact count across all campaigns now exceeds 1,000 entries. Attackers have created between 1,900 and 2,700 rogue GitHub repositories using stolen tokens, publishing stolen data automatically.

The payload#

The payload is a heavily obfuscated index.js that steals GitHub, npm, cloud, Kubernetes, Vault, Docker, database, and SSH credentials. Exfiltration uses the Session P2P network, making traffic appear as encrypted messenger traffic. The stolen data is AES-256-GCM encrypted and RSA-OAEP-wrapped before transmission.

When GitHub credentials are available, the malware uses the GitHub API to create new repositories under the victim's account and upload stolen data to them automatically.

Self-propagation is present again. The malware validates stolen npm tokens, enumerates packages owned by the victim, downloads the tarballs, injects the payload, and republishes infected versions with bumped version numbers.

The SLSA bypass is a repeating capability#

This variant generates valid Sigstore provenance attestations by abusing OIDC tokens from compromised CI environments and submitting them to Fulcio and Rekor. The TanStack wave on May 11 was the first documented case. This confirms it as a repeating technique.

npm audit passes. Provenance verification passes. The npm provenance badge shows verified. The only signal that catches it is a registry of known-compromised version tuples checked at deploy time.

The dormant package problem#

Endor Labs notes that several compromised packages had not received a legitimate update in years and were less likely to have OIDC trusted publishing security configured. jest-canvas-mock has 10 million monthly downloads and has been dormant for three years. High download count does not imply active maintenance or current security hygiene on the publishing pipeline.

What Attestd returns#

For packages on the Attestd watchlist, OSV malware advisories are ingested as they publish and compromised versions are flagged immediately. Several @antv packages auto-qualified during this wave are confirmed compromised.

bash
# @antv/x6 compromised version
curl "https://api.attestd.io/v1/check?product=%40antv%2Fx6&version=3.2.7" \
  -H "Authorization: Bearer YOUR_API_KEY"
json
{
  "product": "@antv/x6",
  "version": "3.2.7",
  "supported": true,
  "risk_state": "none",
  "supply_chain": {
    "compromised": true,
    "sources": ["osv"],
    "malware_type": "malware",
    "description": "Malicious code in @antv/x6 (npm)",
    "advisory_url": "https://safedep.io/mini-shai-hulud-strikes-again-314-npm-packages-compromised/",
    "compromised_at": "2026-05-19T00:00:00Z"
  }
}
bash
# @antv/adjust compromised version
curl "https://api.attestd.io/v1/check?product=%40antv%2Fadjust&version=0.4.5" \
  -H "Authorization: Bearer YOUR_API_KEY"
# → supply_chain.compromised: true, risk_state: "none"
 
# @antv/component compromised version
curl "https://api.attestd.io/v1/check?product=%40antv%2Fcomponent&version=2.3.11" \
  -H "Authorization: Bearer YOUR_API_KEY"
# → supply_chain.compromised: true, risk_state: "none"
 
# Clean control
curl "https://api.attestd.io/v1/check?product=%40antv%2Fx6&version=2.18.1" \
  -H "Authorization: Bearer YOUR_API_KEY"
# → supply_chain.compromised: false

risk_state: "none" on all versions including the compromised ones. No CVE exists for this attack. A tool that checks CVE severity alone returns clean for every affected version. The supply chain signal is the only detector.

Some of the higher-profile packages named in security research coverage, including @antv/g2, @antv/g6, and echarts-for-react, are not yet on the Attestd watchlist and return supported: false. Coverage expands as OSV advisories are ingested and packages clear the download threshold. The current watchlist is at attestd.io/docs/supply-chain.

Attribution#

Socket notes this variant differs technically from earlier Mini Shai-Hulud payloads but shares the same operational model. TeamPCP leaked the Shai-Hulud source code on GitHub last week. Whether this wave is TeamPCP directly, a former affiliate, or an unrelated actor using the leaked code is not confirmed.

If you use any of the affected packages#

Remove compromised versions immediately. Check lockfiles for pinned transitive dependencies.

Rotate immediately: GitHub tokens, npm publish tokens, cloud credentials, Kubernetes service account tokens, HashiCorp Vault tokens, SSH keys, all credentials in .env files, and CI/CD secrets.

Check GitHub for unexpected repositories created under your account. The malware publishes stolen data to auto-generated repositories using your tokens.

Socket maintains a running list of all compromised package artifacts across the full Shai-Hulud campaign: socket.dev.

Get an API key at api.attestd.io/portal/login. Free tier, 1,000 calls a month, no credit card required.