Socket is investigating an active npm supply chain attack in the @antv ecosystem, with compromised packages tied to the maintainer account atool and related packages like echarts-for-react. The campaign matches Mini Shai-Hulud and includes malicious install-time payloads that steal developer secrets, exfiltrate data, and republish infected packages at scale. #Socket #MiniShaiHulud #antv #echartsforreact #atool
Keypoints
- The attack targets the npm ecosystem, especially packages in the @antv namespace and related packages such as echarts-for-react.
- Socket identified 639 compromised package versions across 323 unique packages in the latest wave, and 1,055 versions across 502 packages across the broader campaign.
- The activity matches the Mini Shai-Hulud pattern, which involves coordinated malicious publishes from a compromised maintainer account.
- The payload runs at install time through a preinstall hook and executes an obfuscated root-level index.js file via Bun.
- The malware seeks high-value secrets from developer and CI/CD environments, including GitHub, npm, AWS, Kubernetes, Vault, SSH, Docker, and database credentials.
- Exfiltration occurs through an encrypted HTTPS endpoint, with a GitHub-based fallback that can create repositories and store stolen data in results files.
- The payload also contains npm registry abuse logic to validate tokens, modify packages, inject the payload, and republish infected versions under the victim’s identity.
MITRE Techniques
- [T1195.002 ] Compromise Software Supply Chain – Malicious packages were published into the npm ecosystem to infect downstream users (‘coordinated malicious publishes across packages tied to a compromised maintainer account’).
- [T1059.007 ] JavaScript – The payload executes as a root-level index.js during installation (‘bun run index.js’).
- [T1068 ] Exploitation for Privilege Escalation – Not directly privilege escalation on a host, but the attacker leverages trusted package lifecycle execution to gain code execution during install (‘preinstall’).
- [T1027 ] Obfuscated Files or Information – The payload uses heavy string-array lookup tables and runtime decoding to hide behavior (‘heavily obfuscated’).
- [T1555 ] Credentials from Password Stores – The malware searches for tokens, keys, and secrets from developer environments (‘GitHub tokens, npm tokens, AWS credentials’).
- [T1528 ] Steal Application Access Token – It specifically targets GitHub tokens and npm tokens for abuse (‘GitHub tokens, npm tokens’).
- [T1552.001 ] Credentials In Files – It looks for files such as SSH/private keys, Docker auth files, and credentials files (‘SSH/private keys, Docker authentication files’).
- [T1105 ] Ingress Tool Transfer – The payload downloads package tarballs and modifies them before republishing, enabling further spread (‘download package tarballs, inject the malicious payload’).
- [T1190 ] Exploit Public-Facing Application – The attack abuses public developer platforms and package registries as infrastructure for exfiltration and staging (‘GitHub API abuse’, ‘npm registry abuse logic’).
- [T1041 ] Exfiltration Over C2 Channel – Stolen data is compressed, encrypted, and sent to a hardcoded HTTPS endpoint (‘https://t[.]m-kosche[.]com:443/api/public/otel/v1/traces’).
- [T1567.002 ] Exfiltration to Cloud Storage – The payload uses GitHub repositories as a fallback staging/exfiltration mechanism (‘create a repository under the victim’s account and commit stolen data’).
- [T1106 ] Native API – The payload uses GitHub and npm registry APIs to validate tokens and manipulate packages (‘GitHub API usage, npm registry API usage’).
Indicators of Compromise
- [Domain / Network Indicator ] primary exfiltration endpoint – t[.]m-kosche[.]com, https://t[.]m-kosche[.]com:443/api/public/otel/v1/traces
- [Domain / Network Indicator ] Sigstore-related endpoints referenced by the payload – fulcio[.]sigstore[.]dev, rekor[.]sigstore[.]dev
- [Repository Marker ] reversed campaign marker used in GitHub repos – niagA oG eW ereH :duluH-iahS, Shai-Hulud: Here We Go Again
- [File Path / Filename Pattern ] GitHub fallback output location – results/results-*.json, results/results–.json
- [Repository Naming Pattern ] Dune-themed repository names observed in the campaign – sayyadina-stillsuit-852, atreides-ornithopter-112, and 3 more examples
- [Secret / Environment Variable ] targeted credentials and tokens – GITHUB_TOKEN, ACTIONS_ID_TOKEN_REQUEST_TOKEN, AWS_ACCESS_KEY_ID, and other secrets
- [Package / Dependency Reference ] malicious or related package references – echarts-for-react, @antv/setup
Read more: https://socket.dev/blog/antv-packages-compromised