A fresh Mini Shai-Hulud supply chain attack has hit over 320 NPM packages, along with GitHub Actions and a VS Code extension, security researchers report.
The NPM maintainer account ‘atool’, which has access to multiple packages across the @antv namespace, and which publishes timeago.js (1.5 million weekly downloads), was compromised and used to publish malicious package versions.
The attack propagated downstream to other highly popular packages, including echarts-for-react (~1.1 million weekly downloads), “impacting a much broader set of applications and continuous integration (CI) environments,” Microsoft warned on Tuesday.
According to Socket, roughly 639 malicious versions of the compromised packages were published across “data visualization, graphing, mapping, charting, and React component ecosystems”.
“Across the full Mini Shai-Hulud campaign we have tracked 1,055 versions across 502 unique packages. The campaign spans NPM, PyPI, and Composer, with NPM representing the overwhelming majority of the activity: 1,048 NPM versions across 498 unique NPM packages, plus 6 PyPI entries across 3 packages and 1 Composer package-version entry,” Socket notes.
Most of the affected packages are in the @antv namespace and contain an install-time payload that triggers a multi-stage infection chain in which payloads are fetched from GitHub-hosted infrastructure. Secondary payloads designed to steal credentials and achieve persistence are also downloaded, Wiz says.
“Every compromised package carries an obfuscated payload that reads GitHub Actions runner process memory to extract masked CI/CD secrets in plaintext, harvests credentials from over 130 file paths covering AWS, GCP, Azure, Kubernetes, HashiCorp Vault, cryptocurrency wallets, and developer tools, then exfiltrates stolen data through two channels,” StepSecurity explains.
As with previous Mini Shai-Hulud attacks, the harvested data is exfiltrated through GitHub repositories and through a fallback server, suggesting that the infamous hacking group TeamPCP mounted the attack.
“The payload also contains NPM registry abuse logic. It can validate npm tokens through npm registry APIs, enumerate packages maintainable by the token owner, download package tarballs, inject the malicious payload, add a preinstall hook, bump package versions, and republish modified packages under the compromised maintainer’s identity,” Socket says.
Unlike the previous campaigns, however, the malware was now seen downloading and executing Python code from the attackers’ infrastructure, “effectively providing the operators with ongoing remote execution capabilities on compromised systems,” Wiz says.
StepSecurity also observed the payload dropping persistent backdoors into Claude Code, and identified over 2,200 GitHub repositories containing exfiltrated data.
Microsoft’s Durabletask Python SDK was also compromised in the fresh Mini Shai-Hulud campaign, with three malicious versions uploaded to PyPI within a 35-minute window, StepSecurity says.
A fresh compromise of the popular GitHub Action actions-cool/issues-helper can also be linked to this campaign, Wiz says.
Related: Real-World ICS Security Tales From the Trenches
Related: Virtual Event Today: Threat Detection & Incident Response Summit
Related: GitHub Confirms Hack Impacting 3,800 Internal Repositories
Related: Verizon DBIR 2026: Vulnerability Exploitation Overtakes Credential Theft as Top Breach Vector
