EXECUTIVE SUMMARY
A malicious actor compromised an @antv maintainer account and published malicious versions of widely used data-visualization packages, resulting in a supply chain attack that propagated through dependency chains into libraries and CI/CD pipelines. The malicious payload, a ~499 KB obfuscated JavaScript file, runs silently during npm install and is purpose-built to steal credentials from GitHub Actions environments. It targets secrets across six platforms, including GitHub, Amazon Web Services, HashiCorp Vault, npm, Kubernetes, and 1Password, and uses multi-platform credential theft, GitHub Action Runner process memory scraping, privilege escalation, dual-channel data exfiltration, and Supply Chain Levels for Software Artifacts (SLSA) provenance forgery capabilities.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY
A malicious actor compromised an @antv maintainer account and published malicious versions of widely used data-visualization packages, resulting in a supply chain attack that propagated through dependency chains into libraries and CI/CD pipelines. The malicious payload, a ~499 KB obfuscated JavaScript file, runs silently during npm install and is purpose-built to steal credentials from GitHub Actions environments. It targets secrets across six platforms, including GitHub, Amazon Web Services, HashiCorp Vault, npm, Kubernetes, and 1Password, and uses multi-platform credential theft, GitHub Action Runner process memory scraping, privilege escalation, dual-channel data exfiltration, and Supply Chain Levels for Software Artifacts (SLSA) provenance forgery capabilities.[emaillocker id="1283"]
The malware infects systems through the npm package manager and executes a preinstall hook during npm install, running silently on affected systems. It uses environment gating to exit immediately if it's not running on GitHub Actions on Linux, and branch avoidance to skip certain branches when using Git API exfiltration. The payload is designed to evade analysis and has a deliberate focus on CI/CD environments.
It can infect systems running a variety of operating systems, including Linux and Windows, and can propagate through dependency chains. The @antv organization has since confirmed that the situation is now resolved, and GitHub has removed 640 malicious packages and invalidated 61,274 npm granular access tokens with write permissions and 2FA bypass. However, organisations should still take defensive actions to protect themselves from this threat, including reviewing dependency trees for direct or transitive usage of affected @antv packages, identifying systems that installed or built affected package versions during the suspected exposure window, and disabling pre- and post-installation script execution by ensuring npm install is run with --ignore-scripts.
THREAT PROFILE:
| Tactic | Technique ID | Technique | Sub-technique |
| Initial Access | T1078 | Valid Accounts | — |
| Initial Access | T1195.001 | Supply Chain Compromise | Compromise Software Dependencies and Development Tools |
| Defense Evasion | T1027 | Obfuscated Files or Information | — |
| Credential Access | T1528 | Steal Application Access Token | — |
| Credential Access | T1003.001 | OS Credential Dumping | LSASS Memory |
| Exfiltration | T1041 | Exfiltration Over C2 Channel | — |
| Exfiltration | T1567.003 | Exfiltration Over Web Service | Exfiltration to Text Storage Sites |
REFERENCES:
The reports contain further technical details:
https://www.microsoft.com/en-us/security/blog/2026/05/20/mini-shai-hulud-compromised-antv-npm-packages-enable-ci-cd-credential-theft/
https://securityonline.info/antv-npm-supply-chain-attack-mini-shai-hulud-worm/