Researchers uncovered a new Mini Shai-Hulud supply chain campaign that compromised numerous npm packages in the @antv ecosystem, including echarts-for-react, and used stolen maintainer and CI/CD tokens to push trojanized releases at scale. The attack steals cloud, developer, and infrastructure credentials, exfiltrates data through GitHub and external servers, and is linked to TeamPCP and copycat malicious npm packages. #MiniShaiHulud #@antv #echarts-for-react #TeamPCP #GitHub #npm
Keypoints
- The attack targeted npm packages tied to the @antv ecosystem and echarts-for-react.
- Hundreds of malicious versions were published through compromised maintainer accounts.
- The payload steals credentials for AWS, Google Cloud, Azure, GitHub, npm, SSH, Kubernetes, and more.
- Stolen GitHub tokens were used to create public repositories containing exfiltrated data.
- The campaign includes propagation logic, Sigstore attestation abuse, and copycat npm packages.
Read More: https://thehackernews.com/2026/05/mini-shai-hulud-pushes-malicious-antv.html