Mini Shai-Hulud Strikes Again: 314 npm Packages Compromised

On May 19, 2026, the npm account ‘aatool’ was compromised, leading to the publication of 637 malicious package versions across 317 packages within 22 minutes. This attack affects widely used packages including size-sensor, echarts-for-react, and @antv/scale, and involves sophisticated payloads designed to harvest credentials and establish persistent backdoors.

The attacker used an automated process to publish malicious versions of packages, exploiting semantic versioning ranges to ensure automatic resolution by users’ package managers. The payload, a 498KB obfuscated Bun script, matches the Mini Shai-Hulud toolkit used in a prior SAP-related compromise three weeks earlier. It targets a broad array of credentials, including AWS keys, GitHub tokens, SSH keys, and cloud service credentials, exfiltrating data by embedding it into public GitHub repositories under stolen tokens.

The malware also manipulates CI/CD pipelines by exchanging GitHub Actions OIDC tokens for npm publish tokens, signing artifacts with stolen identities via Sigstore, and injecting malicious workflows into repositories. Persistent system-level backdoors include a systemd service and macOS LaunchAgent named ‘kitty-monitor,’ which polls GitHub for commands and executes remote instructions. The attack also attempts Docker container escape by leveraging host socket access and propagates infection to other local Node.js projects.

Of the 637 published versions, 630 include a preinstall hook executing the malicious script, and many inject optional dependencies pointing to orphaned, forged commits in the ‘antvis/G2’ GitHub repository, exploiting GitHub’s sharing of fork objects. Indicators of compromise include specific package publish timestamps, payload SHA256 hash, and suspicious commit patterns in targeted repositories.

Why It Matters

This incident underscores a significant security breach affecting a large ecosystem of npm packages used in numerous projects worldwide. The attack’s sophistication enables credential theft across multiple cloud platforms, persistent backdoors in developer environments, and potential for widespread data exfiltration. It highlights vulnerabilities in supply chain security, especially concerning package publishing workflows and dependency management practices.

Developers, organizations, and security teams are at risk of compromised credentials, unauthorized access to cloud resources, and malicious code execution. The attack also raises concerns about the integrity of CI/CD pipelines and the security of automated package publishing processes, emphasizing the need for enhanced security measures in software supply chains.

IoT Supply Chain Security Risk Analysis and Mitigation: Modeling, Computations, and Software Tools (SpringerBriefs in Computer Science)

AmazonView Latest Price

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Background

In recent weeks, the ‘Mini Shai-Hulud’ toolkit was identified in a prior SAP supply chain attack, where it was used to compromise enterprise systems through credential harvesting and persistent backdoors. The current incident marks a significant escalation, with the attacker leveraging the same toolkit to target open-source packages on npm, affecting widely used libraries with millions of downloads monthly. The attack exploits npm’s dependency resolution, which automatically updates packages within specified semver ranges, allowing malicious versions to be installed unsuspectingly.

Previous supply chain attacks have demonstrated the risks of compromised package maintainers and dependency chains. This incident is notable for its use of orphaned commits with forged authorship, which exploit GitHub’s sharing of forked objects to host malicious payloads without altering visible repository histories. The attack also employs multiple persistence mechanisms, including CI/CD pipeline manipulation and system-level backdoors, making detection and remediation challenging.

“This attack demonstrates a sophisticated use of the Mini Shai-Hulud toolkit to compromise a broad set of npm packages, harvesting credentials and establishing persistent backdoors.”

— SafeDep Team

“The use of orphaned commits and dependency injection into popular packages represents a new level of supply chain attack complexity.”

— Security researcher

What Remains Unclear

Details remain emerging regarding the full extent of affected projects, the attacker’s ultimate goals, and whether additional malicious payloads are present. It is also unclear how the attacker gained access to the ‘aatool’ npm account initially, and whether other accounts have been compromised.

What’s Next

Security teams are investigating the scope of affected packages and compromised credentials. npm and affected package maintainers are expected to issue advisories, revoke malicious versions, and implement enhanced security measures. Organizations are advised to audit their dependencies, rotate compromised credentials, and monitor for signs of unauthorized access or data exfiltration.

Key Questions

Which packages were affected by the compromise?

Over 300 packages, including size-sensor, echarts-for-react, and @antv/scale, were affected by malicious versions published during the attack.

How did the attacker exfiltrate data?

The attacker used public GitHub repositories created under stolen tokens to embed and exfiltrate sensitive data, leveraging the GitHub API as a command-and-control channel.

What steps should developers take now?

Developers should audit dependencies, update to secure versions, revoke compromised credentials, and monitor their systems for unusual activity. Organizations should review CI/CD pipelines and credential management practices.

Is this attack ongoing or contained?

The attack was active on May 19, 2026, with ongoing investigations. It is not yet clear if additional malicious versions or payloads remain undetected.