Mini Shai-Hulud Pushes Malicious AntV npm Packages via Compromised Maintainer Account

Cybersecurity researchers have discovered a fresh software supply chain attack campaign that has compromised various npm packages associated with the @antv ecosystem as part of the ongoing Mini Shai-Hulud attack wave.

"The attack affects packages tied to the npm maintainer account atool, including echarts-for-react, a widely used React wrapper for Apache ECharts with roughly 1.1 million weekly downloads," Socket said.

The list of affected packages include @antv packages such as @antv/g2, @antv/g6, @antv/x6, @antv/l7, @antv/s2, @antv/f2, @antv/g, @antv/g2plot, @antv/graphin, and @antv/data-set, as well as related packages outside the @antv namespace, including echarts-for-react, timeago.js, size-sensor, canvas-nest.js, and others.

The application security company said the tradecraft matches Mini Shai-Hulud, where a compromised maintainer account is leveraged to push out trojanized versions in quick succession.

The development comes as the supply chain attack campaign continues to slither its way through the software supply chain, worming through different open-source registries rapidly and infecting hundreds of software packages by embedding credential-stealing code into popular development tools.

Mini Shai-Hulud Pushes Malicious AntV npm Packages via Compromised Maintainer Account

Other newsrooms on this story

Related reading

Over 320 NPM Packages Hit by Fresh Mini Shai-Hulud Supply Chain Attack

New Shai-Hulud malware wave compromises 600 npm packages

Shai-Hulud keeps burrowing: 314 npm packages infected after another account…

Mini Shai-Hulud Worm Compromises TanStack, Mistral AI, Guardrails AI & More…

AntV data visualization tool the latest to be hit by ongoing npm supply chain…

GitHub Worm Hits npm Packages With 16M Downloads