Microsoft uncovers supply chain attack: Compromised @antv npm packages steal CI/CD credentials via Mini Shai-Hulud malware
By
Microsoft Defender Security Research Team
Slow-proofed and worth the wait. Worth its weight in flour.
Summary
Microsoft has identified an active supply chain attack targeting the @antv npm package ecosystem. A threat actor compromised an @antv maintainer account and published malicious versions of data-visualization packages. The attack propagated through dependency chains into libraries like echarts-for-react (1M+ weekly downloads), expanding into CI/CD pipelines and cloud workloads. The malicious payload—a ~499 KB obfuscated JavaScript file named "Mini Shai-Hulud"—runs during npm install and targets credentials across GitHub, AWS, Kubernetes, Vault, npm, and 1Password platforms in Linux-based automation environments.
Key quotes
· 4 pulledMicrosoft has identified an active supply chain attack targeting the @antv node package manager (npm) package ecosystem.
A threat actor compromised an @antv maintainer account and published malicious versions of widely used data-visualization packages, resulting in cascading downstream impact.
The compromise propagated through dependency chains into libraries like echarts-for-react (which has more than 1 million weekly downloads), expanding the blast radius into CI/CD pipelines and cloud workloads across the ecosystem.
The malicious payload—a ~499 KB obfuscated JavaScript file—runs during npm install and targets credentials across GitHub, AWS, Kubernetes, Vault, npm, and 1Password platforms.
You might also wanna read
317 npm Packages Compromised in Mini Shai-Hulud Supply Chain Attack
A major npm supply chain attack occurred on May 19, 2026, when the npm account of maintainer "atool" was compromised. The attacker published
safedep.io·13d ago
Shai-Hulud: Largest npm Supply-Chain Compromise Affecting CrowdStrike and Hundreds of Packages
The Shai-Hulud malware campaign represents the largest and most dangerous npm supply-chain compromise in history, affecting hundreds of pack
koi.security·8mo ago
Major NPM Supply Chain Attack: @ctrl/tinycolor and 40+ Packages Compromised with Self-Propagating Malware
A sophisticated supply chain attack has compromised the popular @ctrl/tinycolor NPM package (with over 2 million weekly downloads) along wit
stepsecurity.io·8mo ago
GitLab Identifies Large-Scale npm Supply Chain Attack with Destructive Malware
GitLab's security researchers have uncovered a large-scale supply chain attack in the npm ecosystem involving a destructive malware variant
about.gitlab.com·6mo ago
Shai Hulud 2.0 Supply-Chain Attack Compromises Zapier, ENS, AsyncAPI, PostHog, and Postman
The article details a new supply-chain attack campaign dubbed 'Shai Hulud 2.0' that has compromised multiple developer tools and platforms i
aikido.dev·6mo ago
Major NPM Supply Chain Attack: Over 1,000 Packages Infected via Fake Bun Runtime
A major cybersecurity incident occurred where over 1,000 NPM packages and 27,000+ GitHub repositories were infected within hours via a fake
helixguard.ai·6mo ago