Mini Shai-Hulud Compromises 639 npm Packages, Targeting AntV Ecosystem with Credential Theft
Cybersecurity researchers have identified a significant software supply chain attack campaign that has compromised numerous npm packages linked to the @antv ecosystem. This incident is part of the ongoing Mini Shai-Hulud attack wave, raising alarms about the vulnerabilities within popular development tools.
The attack specifically targets packages associated with the npm maintainer account “atool,” which includes “echarts-for-react,” a widely utilized React wrapper for Apache ECharts that boasts approximately 1.1 million weekly downloads. The implications of this attack are profound, as it affects a range of packages within the @antv namespace, including @antv/g2, @antv/g6, @antv/x6, @antv/l7, @antv/s2, @antv/f2, @antv/g, @antv/g2plot, @antv/graphin, and @antv/data-set. Additionally, related packages outside the @antv namespace, such as timeago.js and canvas-nest.js, are also impacted.
Attack Methodology and Scope
The application security firm Socket has indicated that the tactics employed in this attack align with the Mini Shai-Hulud campaign, characterized by the use of a compromised maintainer account to swiftly distribute trojanized package versions. This campaign has rapidly infiltrated various open-source registries, embedding credential-stealing code into numerous software packages.
The potential impact of this attack is substantial. The compromised publishing account is linked to widely used packages across various domains, including data visualization and React component ecosystems. Even if only a fraction of these packages received malicious updates, the popularity of the ecosystem poses significant downstream risks for organizations that automatically update their dependencies.
The attackers have reportedly published 639 malicious versions across 323 unique packages, with 558 versions affecting 279 unique @antv packages. The payload is designed to harvest over 20 types of credentials, including those for Amazon Web Services, Google Cloud, Microsoft Azure, GitHub, npm, and others. This payload is notably similar to the one used in the earlier SAP compromise.
Data Exfiltration Techniques
The stolen data is serialized, compressed, encrypted, and then exfiltrated to a designated domain. As a contingency, the malware utilizes stolen GitHub tokens to create public repositories under the victims’ accounts, committing the stolen data in JSON format. These repositories often carry the description “niagA oG eW ereH :duluH-iahS,” which, when reversed, reads “Shai-Hulud: Here We Go Again.” Currently, there are over 2,500 repositories on GitHub containing this marker.
StepSecurity has pointed out that these repositories are generated using GitHub tokens pilfered from compromised CI/CD environments. The sheer volume of over 2,000 repositories indicates a lower bound on the number of unique environments whose credentials have been successfully exfiltrated. If an organization’s GitHub token was among those stolen, it is likely that the attacker has leveraged it to create at least one repository under their control.
Propagation and Execution
The malware also incorporates npm propagation logic that exploits stolen npm tokens. It validates these tokens via the npm registry API, enumerates packages maintained by the token owner, downloads package tarballs, injects the malicious payload, adds a preinstall hook, increases package versions, and republishes them under the compromised maintainer’s identity.
SafeDep has noted that the attack employs two execution paths. Each compromised version adds a preinstall hook, with 630 out of 631 malicious versions also injecting an entry pointing to “imposter commits” that deliver a second copy of the payload via the legitimate antvis/G2 GitHub repository. The rapid 22-minute publish burst across 314 packages, totaling 631 versions with identical obfuscated payloads, indicates an automated and aggressive exfiltration process.
The Threat Landscape
The Mini Shai-Hulud campaign is believed to be orchestrated by a financially motivated threat actor known as TeamPCP. Recently, this group has entered a more aggressive phase, having released the entire source code of their framework for use by other malicious actors, as part of a supply chain attack contest in collaboration with BreachForums.
The open-sourcing of a production offensive framework is not unprecedented, but it is unusual for an active campaign. This development lowers the barrier for other threat actors to adopt TeamPCP’s methodologies, including sophisticated techniques such as OIDC token abuse and provenance forgery.
In the wake of this, an unknown threat actor has uploaded four malicious npm packages, one of which closely mirrors the Shai-Hulud worm, complete with its own command-and-control infrastructure. This indicates that cloned versions of the worm could potentially infiltrate open-source ecosystems.
The emergence of this copycat wave complicates attribution efforts while continuing to facilitate credential theft and subsequent exploitation. This incident underscores the risks associated with compromising trusted tools within enterprise networks, as one breach can lead to a cascading effect, expanding the attack’s reach.
Trend Micro has emphasized that this campaign is designed for large-scale credential theft. Organizations utilizing GitHub Actions, PyPI, Docker Hub, GitHub Container Registry, and cloud-connected CI runners are particularly vulnerable to these risks.
For further insights into this evolving threat landscape, refer to the original reporting source: thehackernews.com.
Keep reading for the latest cybersecurity developments, threat intelligence and breaking updates from across the Middle East.
